What is present advice about OpenSSH/SSH/SSHD cve-2024-6387

PerpetualNewbie · July 01, 2024, 06:15:10 PM

https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt

(Claimed regression of CVE-2006-5051)
( https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc )

Assuming there will be a patched sshd in a new OPNSense hotfix/release, what is the present best advice for people running sshd?

sshd.config alter "LoginGraceTime" to "0" (unlimited) then bounce sshd service or some other step?

Thanks!

meyergru · July 01, 2024, 06:46:41 PM

Either that or closing up the SSH port from the WAN side, perhaps?

Considering that the expected time for a full-scale attack is deemed to be around at least a week, you can wait for at least that long for a hotfix.

Seattle2k · July 02, 2024, 05:35:21 PM

If you have SSH open from outside, you're doing something wrong.
And, as PerpetualNewbie mentioned, this vulnerability is not exactly simple to exploit.

alex303 · July 02, 2024, 08:59:18 PM

Quote from: Seattle2k on July 02, 2024, 05:35:21 PM
If you have SSH open from outside, you're doing something wrong.

Exactly. SSH from outside should always be accessed via VPN. In fact, everything from outside should go through VPN.

Monviech (Cedrik) · July 02, 2024, 09:02:07 PM

And suddenly your VPN protocol has a CVE. And then people are like "Oh no you are not supposed to open a VPN to the outside." xD

Anything exposed can be potentially attacked. And if the attack surface is known, it will be mitigated.

E.G.:
https://en.m.wikipedia.org/wiki/Anti-replay

Patrick M. Hausen · July 02, 2024, 09:06:55 PM

VPN is not fundamentally more secure than SSH. It's one of the most secure protocols and products existing.

alex303 · July 02, 2024, 10:10:11 PM

Quote from: Monviech on July 02, 2024, 09:02:07 PM
And suddenly your VPN protocol has a CVE. And then people are like "Oh no you are not supposed to open a VPN to the outside." xD

Anything exposed can be potentially attacked. And if the attack surface is known, it will be mitigated.

E.G.:
https://en.m.wikipedia.org/wiki/Anti-replay

Well. By that logic, lets not use computers at all. Lets get back to stone age.

Quote from: Patrick M. Hausen on July 02, 2024, 09:06:55 PM
VPN is not fundamentally more secure than SSH. It's one of the most secure protocols and products existing.

Its about layers of protection not X vs Y.

Patrick M. Hausen · July 02, 2024, 10:15:42 PM

A VPN might expose a root RCE with more or less the same probability as SSH.

alex303 · July 02, 2024, 10:29:00 PM

Quote from: Patrick M. Hausen on July 02, 2024, 10:15:42 PM
A VPN might expose a root RCE with more or less the same probability as SSH.

It might. World war 3 might happen tomorrow. See where im going with this ? This whole thing is so blown out of proportions its ridiculous.

Monviech (Cedrik) · July 02, 2024, 11:04:07 PM

Layers <3

https://forum.opnsense.org/index.php?topic=40654.msg199395#msg199395

But Layers mean nothing if the most front facing technology can be exploited to give remote code execution with root access.

alex303 · July 02, 2024, 11:40:45 PM

Quote from: Monviech on July 02, 2024, 11:04:07 PM
Layers <3

https://forum.opnsense.org/index.php?topic=40654.msg199395#msg199395

But Layers mean nothing if the most front facing technology can be exploited to give remote code execution with root access.

Leave the IT space and go do something else.

Greg_E · July 03, 2024, 03:10:41 PM

Quote from: alex303 on July 02, 2024, 10:10:11 PM

Well. By that logic, lets not use computers at all. Lets get back to stone age.

Can we please go back, my life would be SO much more simple!

alex303 · July 03, 2024, 03:43:13 PM

Quote from: Greg_E on July 03, 2024, 03:10:41 PM
Quote from: alex303 on July 02, 2024, 10:10:11 PM

Well. By that logic, lets not use computers at all. Lets get back to stone age.

Can we please go back, my life would be SO much more simple!

On a serious note, people have become so spoiled, nitpicky and entitled. They are impossible to please because "everything is broken and everything can be exploited". Sometimes when i read forums i wish opnsense team goes fully closed source and switch to subscription model only with hefty prices.

seed · July 03, 2024, 05:12:24 PM

I also do not understand why people become angry so easy.

When the community version support is not enough for one, go bui a business licence and escalate this on the support side.

There are a lot of others that enjoy OPNsense and its high frequency patch releases and community.

Patrick M. Hausen · July 03, 2024, 05:35:26 PM

Who's getting angry? The only person in this discussion insulting others is @alex303.

What is present advice about OpenSSH/SSH/SSHD cve-2024-6387

PerpetualNewbie

July 01, 2024, 06:15:10 PM Last Edit: July 01, 2024, 06:27:26 PM by PerpetualNewbie

meyergru

July 01, 2024, 06:46:41 PM #1

Seattle2k

July 02, 2024, 05:35:21 PM #2

alex303

July 02, 2024, 08:59:18 PM #3

Monviech (Cedrik)

July 02, 2024, 09:02:07 PM #4 Last Edit: July 02, 2024, 09:04:43 PM by Monviech

Patrick M. Hausen

July 02, 2024, 09:06:55 PM #5

alex303

July 02, 2024, 10:10:11 PM #6

Patrick M. Hausen

July 02, 2024, 10:15:42 PM #7

alex303

July 02, 2024, 10:29:00 PM #8

Monviech (Cedrik)

July 02, 2024, 11:04:07 PM #9 Last Edit: July 02, 2024, 11:07:03 PM by Monviech

alex303

July 02, 2024, 11:40:45 PM #10

Greg_E

July 03, 2024, 03:10:41 PM #11

alex303

July 03, 2024, 03:43:13 PM #12

seed

July 03, 2024, 05:12:24 PM #13

Patrick M. Hausen

July 03, 2024, 05:35:26 PM #14