1 July 2024 Blog Vlad

RegreSSHion, critical vulnerability on OpenSSH CVE-2024-6387

It's the end of the world but exceptionally it's Monday and not Friday... yay...

As the band Daughter says in their song The End:

<< This is the end, this is the end
You wait to find that I'm still here
And you've been waiting for the light to shine >>

And the light will shine if you don't update!

This is actually a 2020 regression of a vulnerability initially fixed in 2006 (hence the name 😎). It is a "race condition" which requires several hours to be exploited but which allows you to become root. It is detectable but you will have to be reactive!

The original article : https://www.openwall.com/lists/oss-security/2024/07/01/3

The OpenSSH versions state are as follows:

  • OpenSSH < 4.4p1 (the 2006 vuln) is vulnerable to the signal handler race condition
  • 4.4p1 <= OpenSSH < 8.5p1 is not vulnerable
  • 8.5p1 <= OpenSSH < 9.8p1 is vulnerable again due to the regression

First things to determine:

  • Do you have OpenSSH exposed on the Internet?
  • If so, are they vulnerable?
  • If so, update them as a priority!

Then:

  • Do you have OpenSSH internally?
  • If so, are they vulnerable?
  • If yes, schedule the update

If you can't update :

  1. Restrict Access to SSH (limit exposition of ssh to admin networks, IP address white listing...)
  2. Disabling password-based logins when possible
  3. Monitor SSH access logs for unusual activities

En complément, voici une procédure que nous recommandons pour mettre à jour sans perdre la main si la mise à jour classique ne fonctionne pas ou n’est pas disponible :

sudo apt show openssh-server
Depends: adduser (>= 3.9), dpkg (>= 1.9.0), libpam-modules (>= 0.72-9), libpam-runtime (>= 0.76-14), lsb-base (>= 4.1+Debian3), openssh-client (= 1:8.9p1-3ubuntu0.7), openssh-sftp-server, procps, ucf (>= 0.28), debconf (>= 0.5) | debconf-2.0, libaudit1 (>= 1:2.2.1), libc6 (>= 2.34), libcom-err2 (>= 1.43.9), libcrypt1 (>= 1:4.1.0), libgssapi-krb5-2 (>= 1.17), libkrb5-3 (>= 1.13~alpha1+dfsg), libpam0g (>= 0.99.7.1), libselinux1 (>= 3.1~), libssl3 (>= 3.0.2), libsystemd0, libwrap0 (>= 7.6-4~), zlib1g (>= 1:1.1.4)

sudo apt install adduser dpkg libpam-modules  libpam-runtime  lsb-base  openssh-client  openssh-sftp-server procps ucf  debconf  libaudit1  libc6  libcom-err2  libcrypt1  libgssapi-krb5-2  libkrb5-3  libpam0g  libselinux1  libssl3  libsystemd0 libwrap0  zlib1g libzstd1 zlib1g libssh-4 libssh-dev libssl3 libc6-dev libc6 libcrypt-d

VER=9.8p1
wget -O /tmp/openssh-9.8p1.tar.gz https://ftp.fr.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${VER}.tar.gz

wget -O /tmp/RELEASE_KEY.asc https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

gpg --import /tmp/RELEASE_KEY.asc

cd /tmp/

tar -xvf openssh-${VER}.tar.gz
cd openssh-${VER}
./configure --prefix=/opt/openssh-${VER}
sudo make
sudo make install

cd /usr/lib/systemd/system/
cp -av ssh.service ssh-latest.service
cp -av ssh@.service ssh-latest@.service
cp -av ssh.socket ssh-latest.socket
cp -av rescue-ssh.target rescue-ssh-latest.target

### Editing manually
diff -y --suppress-common-lines ssh-latest.service ssh.service
ConditionPathExists=!/opt/openssh-latest/etc/sshd_not_to_be_r | ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
EnvironmentFile=-/opt/openssh-latest/default/ssh              | EnvironmentFile=-/etc/default/ssh
ExecStartPre=/opt/openssh-latest/sbin/sshd -t                 | ExecStartPre=/usr/sbin/sshd -t
ExecStart=/opt/openssh-latest/sbin/sshd -D $SSHD_OPTS         | ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/opt/openssh-latest/sbin/sshd -t                   | ExecReload=/usr/sbin/sshd -t
Type=exec                                                     | Type=notify
RuntimeDirectory=sshd-latest                                  | RuntimeDirectory=sshd
Alias=sshd-latest.service                                     | Alias=sshd.service

diff -y --suppress-common-lines ssh-latest.socket ssh.socket
Before=ssh-latest.service                                     | Before=ssh.service
Conflicts=ssh-latest.service                                  | Conflicts=ssh.service
ConditionPathExists=!/opt/openssh-latest/etc/sshd_not_to_be_r | ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
ListenStream=2222                                             | ListenStream=22

diff -y --suppress-common-lines rescue-ssh.target rescue-ssh-latest.target
Requires=network-online.target ssh.service                    | Requires=network-online.target ssh-latest.service
After=network-online.target ssh.service                       | After=network-online.target ssh-latest.service

mkdir -vp /opt/openssh-latest/default/
cp -av /etc/default/ssh /opt/openssh-latest/default/

systemctl enable ssh-latest.service
systemctl enable ssh-latest.socket
systemctl daemon-reload
systemctl start ssh-latest
systemctl status ssh-latest

echo | nc localhost 2222
SSH-2.0-OpenSSH_9.8
Invalid SSH identification string.

Ensuite :

  1. Connect via port 2222 to check that it works and deactivate the ssh.service service
  2. Modify the port conf of /etc/ssh/sshd_config to put port 22 again
  3. Restart the ssh-latest service (risk of losing the server)
  4. Reconnect using ssh on port 22
ssh -p 2222 <user>@<server>
cat /etc/ssh/sshd_config
...
Port 22
...
sudo systemctl restart ssh-latest
ssh -p 22 <user>@<server>

Source: https://gist.github.com/jtmoon79/745e6df63dd14b9f2d17a662179e953a

Good luck to you and be glad it's Monday and not Friday 😉.