[sf-lug] openssh server vulnerability
Akkana Peck
akkana at shallowsky.com
Mon Jul 1 09:06:30 PDT 2024
Update your Linux machines, especially servers. There's an ssh race condition -- actually not new, but a regression of a much earlier bug that had been fixed. There's lots of detail at
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
Unlike most of the security alerts we hear about, this one seems to be real, at least for machines on networks exposed to unknown people (e.g. servers, people using open wi-fi).
https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server#frequently-asked-questions-faqs
says:
"Yes, this vulnerability can be exploited remotely and allows unauthenticated remote code execution (RCE) as root, posing a significant security risk."
Apparently with typical openssh-server timeouts and settings, it's likely to take 1-2 days to exploit it.
On Debian,
https://security-tracker.debian.org/tracker/source-package/openssh
has some details, but it's a little misleading; it says it's fixed in current stable (bookworm and bookworm-security), but
https://security-tracker.debian.org/tracker/CVE-2024-6387
says it's fixed in bookworm-security but not bookworm. Which means you're apparently fine if you have debian-security included in your /etc/apt/sources.list. (Even though the version number of the apt package is still in the vulnerable list of version numbers.)
It's not fixed in trixie (testing) or sid (unstable) yet, though it should be soon, so if you're running one of those, you might want to keep behind firewalls for a few days until you see an openssh-server update.
I haven't checked on the status of other distros besides Debian.
...Akkana
More information about the sf-lug
mailing list