×
Login Register an account
Top Submissions Explore Upgoat Search Random Subverse Random Post Colorize! Site Rules Donate
14

'Critical' vulnerability in OpenSSH uncovered, affects almost all Linux systems

submitted by Dingo to Linux 11 monthsJul 1, 2024 11:51:31 ago (+14/-0)     (www.computing.co.uk)

https://www.computing.co.uk/news/4329906/critical-vulnerability-openssh-uncovered-affects-linux-systems

More info here: https://redlib.catsarch.com/r/linux/comments/1dsvgli/critical_vulnerability_in_openssh_uncovered/

============Below is a comment with other links=============

Debian system on stable seem like they're not affected. I checked my open SSH version using sudo apt show openssh-server and looks like I'm running:

Package: openssh-server Version: 1:7.9p1-10+deb10u4

And the article listed states that this version isn't affected.

My Ubuntu machine is on version Version: 1:8.9p1-3ubuntu0.7 and looks like this version IS affected by this bug. I'm on the jammy release and they have released a new version that fixes this problem, so just a quick update should fix the issue.

Sources:

Ubuntu: https://ubuntu.com/security/CVE-2024-6387
RedHat: https://access.redhat.com/security/cve/CVE-2024-6387
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387


6 comments block

sort by: hot new top old low

[ - ] Empire_of_the_Mind 3 points 11 monthsJul 1, 2024 15:32:58 ago (+3/-0)

i mean it says "Open" ssh right in the name

[ - ] ilikeskittles 1 point 11 monthsJul 2, 2024 09:44:44 ago (+1/-0)

SSH Has been vulnerable for 20 years. Turn it on when you need it, then turn it pack off.

[ - ] Dingo [op] 0 points 11 monthsJul 2, 2024 12:34:18 ago (+0/-0)

Turn it on when you need it, then turn it pack off.

I agree, this is very good advice. I guess it depends on who is using it but many have network storage and use Samba. Not sure how Samba shakes up with openssh, but I'd assume it's just as vulnerable.

Sneaker-net for the win I guess.

[ - ] mannerbund 1 point 11 monthsJul 1, 2024 18:56:42 ago (+1/-0)

Ubuntu 22.04 through current are affected.

I got to spend Friday ACLing access which was once much more open, it was a lame day. Fortunately updates were easy to apply once the patch was released.

This one had chatter in some of the infosec circles, but what bugs me is the patch was released in near timing of the announcement, preventing many systems from auto updating. Details about the scope of the vulnerability were kept quite hidden too, so we spent a chunk of time locking things down that didn't need it.

[ - ] Dingo [op] 0 points 11 monthsJul 2, 2024 12:43:28 ago (+0/-0)

This is very interesting information. I wonder what the precise nature was and the "urgent fix" they shoehorn into all the other updates.

Ubuntu 22.04 through current are affected.

Do you mean 22.04 and before or 22.04 and after?

[ - ] mannerbund 1 point 11 monthsJul 2, 2024 15:29:29 ago (+1/-0)

2022 and after, along with much older versions. I didn't run Ubuntu in the olden days, but older versions of openssh were vulnerable too.

As far as I can tell today the work was for not. We ban connections if they fail to auth successfully the first time and what I've been reading is that the attack is a timing attack requiring many attempts to get in (somewhere around 1 in 10k attempts for a success rate).