OpenSSH: CVE-2024-6387 - regreSSHion

tomh · 1 July 2024 14:01

Hi,

earlier today CVE-2024-6387 was published:

https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt

I tried searching but couldn’t find any info about the patch state for Manjaro. To me it looks unpatched as of yet and i don’t see anyone talking about it. Am i correct with this? Is there progress beeing made with providiing a patched version?

It’s patched with openssh 9.8: https://www.openssh.com/txt/release-9.8

But there are also minimal patches available.

For anyone who wants to take immediate action: apparently it can be mitigated by setting LoginGraceTime 0:

can be fixed by simply setting LoginGraceTime to 0 in the
configuration file. This makes sshd vulnerable to a denial of service
(the exhaustion of all MaxStartups connections), but it makes it safe
from the remote code execution presented in this advisory.

peet · 1 July 2024 14:28

Manjaro has no update yet as far as I can tell, yes.

It looks like Arch already updated openssh to 9.8p1: Arch Linux - openssh 9.8p1-1 (x86_64)

May I suggest fast-tracking that update to the Manjaro repos? Otherwise, a backported fix to the current 9.7p1 would be greatly appreciated.

tomh · 1 July 2024 14:34

Yep, arch bumped 5 hours ago: upgpkg: 9.8p1-1: security update (af3308dd) · Commits · Arch Linux / Packaging / Packages / openssh · GitLab

Oh, and they’re investigating an issue with that update: Can't login after openssh 9.8p1-1 upgrade, MUST restart sshd (#5) · Issues · Arch Linux / Packaging / Packages / openssh · GitLab

But i would gladly take that bump even if i have to restart the service manually

andreas85 · 1 July 2024 14:39

The exploit currently only works on 32-bit systems. A 64-bit version is in the works:

“The exploit only works in about every ten thousandth attempt, after the standard 120-second timeout (LoginGraceTime) has expired…”

The exploit for x64 is said to be significantly slower than the one for i386. It may take a week for the attack to break in.

So there is no reason to act hastily and no reason to panic. (One must also consider the circumstances surrounding the XZ problem. In particular the pressure that was exerted at the time (thankfully unsuccessfully))

peet · 1 July 2024 15:07

I know that there currently only is a working exploit for 32-Bit systems. However, a 64-Bit exploit is only a matter of time. Therefore, a fast patch would be preferable to not even get into potential unclear situations once an exploit drops. Not panicing is advisible and the update should not break existing deployments, however, even large distributions with a focus on stable packages like Debian and Ubuntu understood this and already backported minimal patches anyway.

Also, the comparison to the XZ situation does not fit at all. In XZ, the malicious actor pressed for an update with the excuse to to get obscure new features into the library. For OpenSSH, there is a well documented blog post for a fixed security vulnerability that is backed by a stable team of developers (see their release notes on openssh dot com) for a product that did no have a critical vulnerability in at least a decade.

Yochanan · 1 July 2024 15:36

openssh 9.8p1-1 is now available in all branches.

peet · 1 July 2024 15:49

Amazing, thank you for the fast reaction!

system · 3 July 2024 03:49

This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.