OpenSSH CVE-2024-6387

Started by Patrick M. Hausen, July 01, 2024, 12:09:31 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
July 01, 2024, 12:09:31 PM
Hi folks!

Are we in for a quick hotfix?

https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc

Kind regards,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 01, 2024, 01:29:59 PM #1
Hi Patrick,

This will be addressed next week from our end.
Looking briefly at the report https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt?ref=upstract.com, at a first glance exploitation on amd64 seems to be rather difficult (and time consuming) by the way.

Best regards,

Ad
July 01, 2024, 03:27:29 PM #2
Doesn't this mean FreeBSD isn't vulnerable?

Quote
We have not investigated any other libc or
operating system; but OpenBSD is notably not vulnerable, because its
SIGALRM handler calls syslog_r(), an async-signal-safer version of
syslog() that was invented by OpenBSD in 2001.
Hardware:
DEC740
July 01, 2024, 03:39:54 PM #3
See my link in the initial post. That's the advisory by the FreeBSD security team clearly stating that it is.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 01, 2024, 03:41:28 PM #4
Oops only read second link.
Hardware:
DEC740
July 02, 2024, 09:24:13 AM #5
The only confirmation is that OpenBSD went a different route with OpenSSH in 2001 and they're not affected.

There's no confirmation yet on FreeBSD, however the security team there decided they'll patch first and ask questions later - as Colin explained it on Twitter shortly after the vulnerability bacame public.

Unless something changes and somehow the bug becomes trivial to exploit on FreeBSD there's no real urgency to have this patched in OPNsense this week - - other than pleasing an otherwise hard to please and non-affilated Youtuber.


Anything Linux however is a Patch Now if exposed to the internet.
July 02, 2024, 03:10:32 PM #6
From what I could read in various CVE Trackers, not all Linux needs "patch now". There's much alarmism thrown around. Reading the bug report I stumbled upon "only tested on 32bit systems, 64bit is still ongoing". Huh...

But for FreeBSD the workaround is mentioned to:

Code Select
If sshd(8) cannot be updated, this signal handler race condition can be
mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and
restarting sshd(8). This makes sshd(8) vulnerable to a denial of service
(the exhaustion of all MaxStartups connections), but makes it safe from the
remote code execution presented in this advisory.

The DOS part shouldn't take too much, as I guess the lockout daemon would handle them before it gets to exhaustion anyways. So for anyone wanting a quick fix AND has SSH on WAN needed and not being able to disable it: changing that in sshd_config would do as workaround patch, wouldn't it?

Cheers :)
\jens
"It doesn't work!" is no valid error description! - Don't forget to [applaud] those offering time & brainpower to help you!
Better have some *sense as no(n)sense! ;)

If you're interested in german-speaking business support, feel free to reach out via PM.
July 02, 2024, 03:44:40 PM #7
I foresee another video coming out... Why I don't... Yes it seems the other firewall pushed out a fix and it seems to set to zero saving you the work of doing it yourself.

Setting to zero or blocking from the WAN is probably a good idea for a while.

Will Suricata detect this and block it? Seems like it would detect the pattern of constantly trying to force SSH and block the attempts. If not today, will it tomorrow?
July 02, 2024, 09:55:43 PM #8
Just a point of reference, my FreeBSD email server received an update (14.1-RELEASE-p2). This did not set "LoginGraceTime 0" so it must have actually patched ssh.
July 02, 2024, 10:17:00 PM #9
All supported branches plus 13.2 (which is technically EOL but only for two day, now) received an SSH update that fixes the issue.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 03, 2024, 09:59:06 AM #10
Quote from: Patrick M. Hausen on July 02, 2024, 10:17:00 PM
All supported branches plus 13.2 (which is technically EOL but only for two day, now) received an SSH update that fixes the issue.

Even if 13.2 wouldn't get it, Franco would patch it anyway .. we already saw similar things in 11.1 etc. :)
July 04, 2024, 06:59:34 AM #11 Last Edit: July 04, 2024, 07:07:40 AM by bestboy
July 05, 2024, 05:48:08 AM #12
Hey OPNsense, are we going to take this seriously and get an update out??

All of my other remote-facing networking systems have already had patches at this point...

What's the delay?
July 05, 2024, 08:40:50 AM #13
As stated on the top of this thread, next week. (https://forum.opnsense.org/index.php?topic=41342.msg202804#msg202804)

And yes, we are taking it serious, FreeBSD's patch is a precaution, which is obviously fine, but FreeBSD doesn't use glibc and OPNsense is also not available on 32bit systems.

Best regards,

Ad
July 10, 2024, 05:15:45 AM #14 Last Edit: July 10, 2024, 05:25:11 AM by squarepantsii
Quote from: Patrick M. Hausen on July 02, 2024, 10:17:00 PM
All supported branches plus 13.2 (which is technically EOL but only for two day, now) received an SSH update that fixes the issue.

I am still finding my way around the software stack. What does "all supported branches plus 13.2" mean?

If I do a # ssl -V, I get OpenSSH_9.7p1. Do this mean that this is not vulnerable?
Just re-read the Qualys notice, and this version is vulnerable. My question above still stands, thanks.
Print
Go Up Pages1 2
User actions