Platform
1 July 2024 Blog Vlad
RegreSSHion, critical vulnerability on OpenSSH CVE-2024-6387
Ce contenu vous plait
Partagez-le sur les réseaux
It's the end of the world but exceptionally it's Monday and not Friday... yay...
As the band Daughter says in their song The End:
<< This is the end, this is the end
You wait to find that I'm still here
And you've been waiting for the light to shine >>
And the light will shine if you don't update!
This is actually a 2020 regression of a vulnerability initially fixed in 2006 (hence the name 😎). It is a "race condition" which requires several hours to be exploited but which allows you to become root. It is detectable but you will have to be reactive!
The original article : https://www.openwall.com/lists/oss-security/2024/07/01/3
The OpenSSH versions state are as follows:
- OpenSSH < 4.4p1 (the 2006 vuln) is vulnerable to the signal handler race condition
- 4.4p1 <= OpenSSH < 8.5p1 is not vulnerable
- 8.5p1 <= OpenSSH < 9.8p1 is vulnerable again due to the regression
First things to determine:
- Do you have OpenSSH exposed on the Internet?
- If so, are they vulnerable?
- If so, update them as a priority!
Then:
- Do you have OpenSSH internally?
- If so, are they vulnerable?
- If yes, schedule the update
If you can't update :
- Restrict Access to SSH (limit exposition of ssh to admin networks, IP address white listing...)
- Disabling password-based logins when possible
- Monitor SSH access logs for unusual activities
En complément, voici une procédure que nous recommandons pour mettre à jour sans perdre la main si la mise à jour classique ne fonctionne pas ou n’est pas disponible :
sudo apt show openssh-server
Depends: adduser (>= 3.9), dpkg (>= 1.9.0), libpam-modules (>= 0.72-9), libpam-runtime (>= 0.76-14), lsb-base (>= 4.1+Debian3), openssh-client (= 1:8.9p1-3ubuntu0.7), openssh-sftp-server, procps, ucf (>= 0.28), debconf (>= 0.5) | debconf-2.0, libaudit1 (>= 1:2.2.1), libc6 (>= 2.34), libcom-err2 (>= 1.43.9), libcrypt1 (>= 1:4.1.0), libgssapi-krb5-2 (>= 1.17), libkrb5-3 (>= 1.13~alpha1+dfsg), libpam0g (>= 0.99.7.1), libselinux1 (>= 3.1~), libssl3 (>= 3.0.2), libsystemd0, libwrap0 (>= 7.6-4~), zlib1g (>= 1:1.1.4)
sudo apt install adduser dpkg libpam-modules libpam-runtime lsb-base openssh-client openssh-sftp-server procps ucf debconf libaudit1 libc6 libcom-err2 libcrypt1 libgssapi-krb5-2 libkrb5-3 libpam0g libselinux1 libssl3 libsystemd0 libwrap0 zlib1g libzstd1 zlib1g libssh-4 libssh-dev libssl3 libc6-dev libc6 libcrypt-d
VER=9.8p1
wget -O /tmp/openssh-9.8p1.tar.gz https://ftp.fr.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${VER}.tar.gz
wget -O /tmp/RELEASE_KEY.asc https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
gpg --import /tmp/RELEASE_KEY.asc
cd /tmp/
tar -xvf openssh-${VER}.tar.gz
cd openssh-${VER}
./configure --prefix=/opt/openssh-${VER}
sudo make
sudo make install
cd /usr/lib/systemd/system/
cp -av ssh.service ssh-latest.service
cp -av ssh@.service ssh-latest@.service
cp -av ssh.socket ssh-latest.socket
cp -av rescue-ssh.target rescue-ssh-latest.target
### Editing manually
diff -y --suppress-common-lines ssh-latest.service ssh.service
ConditionPathExists=!/opt/openssh-latest/etc/sshd_not_to_be_r | ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
EnvironmentFile=-/opt/openssh-latest/default/ssh | EnvironmentFile=-/etc/default/ssh
ExecStartPre=/opt/openssh-latest/sbin/sshd -t | ExecStartPre=/usr/sbin/sshd -t
ExecStart=/opt/openssh-latest/sbin/sshd -D $SSHD_OPTS | ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/opt/openssh-latest/sbin/sshd -t | ExecReload=/usr/sbin/sshd -t
Type=exec | Type=notify
RuntimeDirectory=sshd-latest | RuntimeDirectory=sshd
Alias=sshd-latest.service | Alias=sshd.service
diff -y --suppress-common-lines ssh-latest.socket ssh.socket
Before=ssh-latest.service | Before=ssh.service
Conflicts=ssh-latest.service | Conflicts=ssh.service
ConditionPathExists=!/opt/openssh-latest/etc/sshd_not_to_be_r | ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
ListenStream=2222 | ListenStream=22
diff -y --suppress-common-lines rescue-ssh.target rescue-ssh-latest.target
Requires=network-online.target ssh.service | Requires=network-online.target ssh-latest.service
After=network-online.target ssh.service | After=network-online.target ssh-latest.service
mkdir -vp /opt/openssh-latest/default/
cp -av /etc/default/ssh /opt/openssh-latest/default/
systemctl enable ssh-latest.service
systemctl enable ssh-latest.socket
systemctl daemon-reload
systemctl start ssh-latest
systemctl status ssh-latest
echo | nc localhost 2222
SSH-2.0-OpenSSH_9.8
Invalid SSH identification string.
Ensuite :
- Connect via port 2222 to check that it works and deactivate the ssh.service service
- Modify the port conf of /etc/ssh/sshd_config to put port 22 again
- Restart the ssh-latest service (risk of losing the server)
- Reconnect using ssh on port 22
ssh -p 2222 <user>@<server>
cat /etc/ssh/sshd_config
...
Port 22
...
sudo systemctl restart ssh-latest
ssh -p 22 <user>@<server>
Source: https://gist.github.com/jtmoon79/745e6df63dd14b9f2d17a662179e953a
Good luck to you and be glad it's Monday and not Friday 😉.