Security & Privacy

Does the “regreSSHion” vulnerability impact Macs? How to disable Remote Login

Posted on by

A high-severity vulnerability called regreSSHion impacts OpenSSH, and may affect Macs. Here’s everything Mac users should know.

On Monday, July 1, the maintainers of OpenSSH, an open-source software package, released a major security update. OpenSSH is built into many operating systems, including macOS—the operating system that powers Apple’s Mac computers.

The July 1 update, OpenSSH 9.8p1, patches a single vulnerability: “regreSSHion,” aka CVE-2024-6387. How might this vulnerability affect Macs? Should Mac users be concerned? What can be done about it? Let’s explore those answers.

In this article:

What is OpenSSH? How do Macs use it?

OpenSSH is mainly used to establish a secure connection between a computer and a remote server. It is commonly associated with the command-line tool “ssh” (short for “secure shell”) which can be used in the Mac’s Terminal app.

Macs have a feature (which can be enabled in System Settings, under General > Sharing) called Remote Login; it is off by default. If a user enables the feature, “Remote Login lets users of other computers access this computer using SSH and SFTP,” according to Apple. Anyone on the same network can then attempt to connect to your Mac silently via SSH. Behind the scenes, Remote Login uses the open-source software OpenSSH.

If you set up port forwarding on your home router or company firewall, then SSH can even be made accessible to any computer on the Internet. One company observed more than 7 million vulnerable OpenSSH servers connected to the Internet on July 1, the day of the disclosure and patch.

What is the “regreSSHion” vulnerability (CVE-2024-6387)?

Qualys, the company that discovered the vulnerability, describes it as follows:

regreSSHion, CVE-2024-6387, is an unauthenticated remote code execution [(RCE) vulnerability] in OpenSSH’s server (sshd) that grants full root access. It affects the default configuration and does not require user interaction. It poses a significant exploit risk.

The summary from NIST’s National Vulnerability Database adds some additional detail:

A security regression (CVE-2006-5051) was discovered in OpenSSH’s server (sshd). There is a race condition which can lead […] sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

NIST gives this vulnerability an 8.1 (out of 10) CVSS score, which is considered “high” severity.

The name “regreSSHion” is a pun based on SSH and the programming term “regression” (in this case, referring to the reintroduction of a past security bug).

What version of OpenSSH is built into macOS? Is it vulnerable?

As of macOS Sonoma 14.5, Macs include OpenSSH version 9.6p1, which is an affected version; the only fully patched version is 9.8p1 (or 9.8). You can check your own Mac’s OpenSSH version via the Terminal:

% /usr/bin/ssl -V
OpenSSH_9.6p1, LibreSSL 3.3.6

(Note that macOS Sonoma currently also includes an outdated and highly vulnerable version of LibreSSL that is more than two years old. We have been covering this on The Mac Security Blog since last year, soon after macOS Sonoma’s public release. Apple has continued to ignore our inquiries about it.)

While the particular version of OpenSSH built into Macs is known to be vulnerable, attackers can only exploit the regreSSHion vulnerability under specific conditions. Qualys only notes that the vulnerability “likely” exists in macOS. However, Qualys stated that it did not investigate macOS specifically, and that the exploitability of the bug on macOS “remains uncertain.”

What does Apple have to say about regreSSHion?

Publicly, Apple has remained quiet about whether macOS is affected.

Apple did not respond to Intego’s inquiry about the vulnerability. It is unclear whether Apple has done any internal testing related to regreSSHion, or whether (and when) the company plans to release a security patch.

Reportedly, customers who contacted AppleCare Enterprise Support Engineering got a generic response: “To protect our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.”

How can I disable Remote Login on macOS if I don’t use it?

Apple’s “Remote Login” feature, which enables remote SSH access to a Mac, is disabled by default. You can easily check whether it’s enabled on your Mac.

If you don’t use Remote Login but you find that it’s enabled on your Mac, it’s probably a good idea to disable it. This will help reduce your attack surface, i.e. the potential ways in which you could potentially be attacked.

If you use macOS Ventura, macOS Sonoma, or macOS Sequoia beta:

  1. Click on the Apple menu in the top-left corner of the screen, then click System Settings…
  2. Click on General, then click on Sharing.
  3. In the Advanced section, make sure that the toggle switch (slider) next to Remote Login is in the off position (i.e. the circle is on the left).

If you use macOS Monterey or earlier, please note that your Mac’s operating system contains numerous vulnerabilities that will never be patched. Apple provides only minimal security patches for the two previous versions of macOS, and zero patches for versions older than that. However, if your Mac doesn’t officially support macOS Sonoma (and if you’re unwilling to upgrade macOS using an unsupported method), you can disable Remote Login as follows:

  1. Click on the Apple menu in the top-left corner of the screen, then click System Preferences…
  2. Click on Sharing.
  3. On the left side of the window, make sure that the checkbox next to Remote Login is unchecked.

How can I learn more?

To learn more about the regreSSHion vulnerability, you can read Qualys’s overview, blog post and FAQ, and technical advisory.

We briefly discussed regreSSHion on episode 351 of the Intego Mac Podcast.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security, and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on X/Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →