Update your OpenSSH server. NOW.

OpenSSH has a RCE vulnerability (https://www.openssh.com/releasenotes.html):

A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon.

Detailed info: https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
Debian stable already has a patched version (1:9.2p1-2+deb12u3).
(Yes, this was already posted on the OGF, but maybe not everyone noticed it.)

cpu_logger | Recommended providers: Layer7, dataforest (Avoro/PHP-Friends), @host_c

Comments

  • More info (probably) can be found here, but the week is too busy, so I didn't manage to have even a briefest look into all this:

    ☰ Probably the best Black Friday storage offersAMD EPYC VDSes with NVMe slices (ref) from 250GB to 4TB and 500GB–10TB SAN disk. / Big HDD storage VPSes (ref) from $2.42/month per TB. / Storage dedis and hybrid VPS (SSD + HDD) are there as well.

  • Last night I worked on upgrading all my servers. Damn you hackers!

    Stop the planet! I wish to get off!

  • NeoonNeoon OGSenpai
    edited July 2

    Apparently it takes hours to exploit this on 32bit machines, tested with 10ms jitter.
    Roughly 10k retries until successful exploitation.

    On 64bit, apparently a week.
    But my guess, the more unstable the network is, the further away the target is, the more retries you have to do.

    Unlikely that random machines are getting exploited, more like targeted attacks.
    Still patch it though.

  • I've set up a whitelist in firewall, so is my VPS vulnerable if I don't update OpenSSH immediately?

    MicroLXC is lovable. Uptime of C1V

  • AuroraZeroAuroraZero ModeratorHosting Provider

    @bliss said:
    I've set up a whitelist in firewall, so is my VPS vulnerable if I don't update OpenSSH immediately?

    From a security stance still update

    Thanked by (1)bliss

    Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?

  • teamaccteamacc OGSenpai

    @Neoon said:
    Apparently it takes hours to exploit this on 32bit machines, tested with 10ms jitter.
    Roughly 10k retries until successful exploitation.

    On 64bit, apparently a week.
    But my guess, the more unstable the network is, the further away the target is, the more retries you have to do.

    Unlikely that random machines are getting exploited, more like targeted attacks.
    Still patch it though.

    If you know what dc your target is in, you could get a box in there as well and minimize jitter, right? That should cut down on the amount of attempts to make drastically.

    Hey teamacc. You're a dick. (c) Jon Biloh, 2020.

  • NeoonNeoon OGSenpai

    @teamacc said:

    @Neoon said:
    Apparently it takes hours to exploit this on 32bit machines, tested with 10ms jitter.
    Roughly 10k retries until successful exploitation.

    On 64bit, apparently a week.
    But my guess, the more unstable the network is, the further away the target is, the more retries you have to do.

    Unlikely that random machines are getting exploited, more like targeted attacks.
    Still patch it though.

    If you know what dc your target is in, you could get a box in there as well and minimize jitter, right? That should cut down on the amount of attempts to make drastically.

    The more oversold the Node is, the harder it should be too.
    All the CPU Steal the sshd deamon is hit with, good luck your your timing attacks bro.

    Thanked by (2)treesmokah yoursunny
  • teamaccteamacc OGSenpai

    @Neoon said:

    @teamacc said:

    @Neoon said:
    Apparently it takes hours to exploit this on 32bit machines, tested with 10ms jitter.
    Roughly 10k retries until successful exploitation.

    On 64bit, apparently a week.
    But my guess, the more unstable the network is, the further away the target is, the more retries you have to do.

    Unlikely that random machines are getting exploited, more like targeted attacks.
    Still patch it though.

    If you know what dc your target is in, you could get a box in there as well and minimize jitter, right? That should cut down on the amount of attempts to make drastically.

    The more oversold the Node is, the harder it should be too.
    All the CPU Steal the sshd deamon is hit with, good luck your your timing attacks bro.

    I've never felt as safe as with my @c1vhosting vps.

    Hey teamacc. You're a dick. (c) Jon Biloh, 2020.

  • NeoonNeoon OGSenpai

    @teamacc said:

    @Neoon said:

    @teamacc said:

    @Neoon said:
    Apparently it takes hours to exploit this on 32bit machines, tested with 10ms jitter.
    Roughly 10k retries until successful exploitation.

    On 64bit, apparently a week.
    But my guess, the more unstable the network is, the further away the target is, the more retries you have to do.

    Unlikely that random machines are getting exploited, more like targeted attacks.
    Still patch it though.

    If you know what dc your target is in, you could get a box in there as well and minimize jitter, right? That should cut down on the amount of attempts to make drastically.

    The more oversold the Node is, the harder it should be too.
    All the CPU Steal the sshd deamon is hit with, good luck your your timing attacks bro.

    I've never felt as safe as with my @c1vhosting vps.

    The more downtime you have, the safer it should be to.
    Premium @VirMach

  • MikeAMikeA Hosting ProviderOG

    @bliss said:
    I've set up a whitelist in firewall, so is my VPS vulnerable if I don't update OpenSSH immediately?

    Why wouldn't you though? All it takes is an apt/dnf upgrade openssh

    Thanked by (1)bliss
  • skorousskorous OGSenpai

    @MikeA said:

    @bliss said:
    I've set up a whitelist in firewall, so is my VPS vulnerable if I don't update OpenSSH immediately?

    Why wouldn't you though? All it takes is an apt/dnf upgrade openssh

    Plot twist: They're running Gentoo.

    Thanked by (2)tmntwitw bliss
  • I'm running on Debian Buster.

  • edited July 4

    @aRNoLD said:
    I'm running on Debian Buster.

    Excellent, @aRNoLD, excellent. That's the only thing that has bothered me for years. What version of Debian does Arnold run?
    Now that I know, I can die peacefully.

    Not so soon!

  • @yoursunny said:
    Life is too short to upgrade OpenSSH.

    Just use Dropbear

    Thanked by (2)yoursunny root

    youtube.com/watch?v=k1BneeJTDcU

  • You guys never have any good news...

    Websites have ads, I have ad-blocker.

  • edited July 9

    @Neoon said:

    @teamacc said:

    @Neoon said:

    @teamacc said:

    @Neoon said:
    Apparently it takes hours to exploit this on 32bit machines, tested with 10ms jitter.
    Roughly 10k retries until successful exploitation.

    On 64bit, apparently a week.
    But my guess, the more unstable the network is, the further away the target is, the more retries you have to do.

    Unlikely that random machines are getting exploited, more like targeted attacks.
    Still patch it though.

    If you know what dc your target is in, you could get a box in there as well and minimize jitter, right? That should cut down on the amount of attempts to make drastically.

    The more oversold the Node is, the harder it should be too.
    All the CPU Steal the sshd deamon is hit with, good luck your your timing attacks bro.

    I've never felt as safe as with my @c1vhosting vps.

    The more downtime you have, the safer it should be to.
    Premium @VirMach

    That's a very interesting theory!
    The more the downtime, the safer the server. :relieved:
    Cold servers, operated only when they're needed. If any.
    Plus it reduces mean time befrore failure and cuts down on energy bill.

Sign In or Register to comment.