Update your OpenSSH server. NOW.

OpenSSH has a RCE vulnerability (https://www.openssh.com/releasenotes.html):

A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon.

Detailed info: https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
Debian stable already has a patched version (1:9.2p1-2+deb12u3).
(Yes, this was already posted on the OGF, but maybe not everyone noticed it.)

cpu_logger | Recommended providers: Layer7, dataforest (Avoro/PHP-Friends)

Comments

  • Life is too short to upgrade OpenSSH.

    HostBrr aff best VPS; VirmAche aff worst VPS.
    Unable to push-up due to shoulder injury 😣

  • More info (probably) can be found here, but the week is too busy, so I didn't manage to have even a briefest look into all this:

  • Last night I worked on upgrading all my servers. Damn you hackers!

  • NeoonNeoon OG
    edited July 2

    Apparently it takes hours to exploit this on 32bit machines, tested with 10ms jitter.
    Roughly 10k retries until successful exploitation.

    On 64bit, apparently a week.
    But my guess, the more unstable the network is, the further away the target is, the more retries you have to do.

    Unlikely that random machines are getting exploited, more like targeted attacks.
    Still patch it though.

  • I've set up a whitelist in firewall, so is my VPS vulnerable if I don't update OpenSSH immediately?

    MicroLXC is lovable. Uptime of C1V

  • AuroraZeroAuroraZero Moderator

    @bliss said:
    I've set up a whitelist in firewall, so is my VPS vulnerable if I don't update OpenSSH immediately?

    From a security stance still update

    Thanked by (1)bliss

    Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?

  • @Neoon said:
    Apparently it takes hours to exploit this on 32bit machines, tested with 10ms jitter.
    Roughly 10k retries until successful exploitation.

    On 64bit, apparently a week.
    But my guess, the more unstable the network is, the further away the target is, the more retries you have to do.

    Unlikely that random machines are getting exploited, more like targeted attacks.
    Still patch it though.

    If you know what dc your target is in, you could get a box in there as well and minimize jitter, right? That should cut down on the amount of attempts to make drastically.

    Hey teamacc. You're a dick. (c) Jon Biloh, 2020.

  • @teamacc said:

    @Neoon said:
    Apparently it takes hours to exploit this on 32bit machines, tested with 10ms jitter.
    Roughly 10k retries until successful exploitation.

    On 64bit, apparently a week.
    But my guess, the more unstable the network is, the further away the target is, the more retries you have to do.

    Unlikely that random machines are getting exploited, more like targeted attacks.
    Still patch it though.

    If you know what dc your target is in, you could get a box in there as well and minimize jitter, right? That should cut down on the amount of attempts to make drastically.

    The more oversold the Node is, the harder it should be too.
    All the CPU Steal the sshd deamon is hit with, good luck your your timing attacks bro.

    Thanked by (2)treesmokah yoursunny
  • @Neoon said:

    @teamacc said:

    @Neoon said:
    Apparently it takes hours to exploit this on 32bit machines, tested with 10ms jitter.
    Roughly 10k retries until successful exploitation.

    On 64bit, apparently a week.
    But my guess, the more unstable the network is, the further away the target is, the more retries you have to do.

    Unlikely that random machines are getting exploited, more like targeted attacks.
    Still patch it though.

    If you know what dc your target is in, you could get a box in there as well and minimize jitter, right? That should cut down on the amount of attempts to make drastically.

    The more oversold the Node is, the harder it should be too.
    All the CPU Steal the sshd deamon is hit with, good luck your your timing attacks bro.

    I've never felt as safe as with my @c1vhosting vps.

    Hey teamacc. You're a dick. (c) Jon Biloh, 2020.

  • @teamacc said:

    @Neoon said:

    @teamacc said:

    @Neoon said:
    Apparently it takes hours to exploit this on 32bit machines, tested with 10ms jitter.
    Roughly 10k retries until successful exploitation.

    On 64bit, apparently a week.
    But my guess, the more unstable the network is, the further away the target is, the more retries you have to do.

    Unlikely that random machines are getting exploited, more like targeted attacks.
    Still patch it though.

    If you know what dc your target is in, you could get a box in there as well and minimize jitter, right? That should cut down on the amount of attempts to make drastically.

    The more oversold the Node is, the harder it should be too.
    All the CPU Steal the sshd deamon is hit with, good luck your your timing attacks bro.

    I've never felt as safe as with my @c1vhosting vps.

    The more downtime you have, the safer it should be to.
    Premium @VirMach

  • MikeAMikeA Hosting ProviderOG

    @bliss said:
    I've set up a whitelist in firewall, so is my VPS vulnerable if I don't update OpenSSH immediately?

    Why wouldn't you though? All it takes is an apt/dnf upgrade openssh

    Thanked by (1)bliss
  • @MikeA said:

    @bliss said:
    I've set up a whitelist in firewall, so is my VPS vulnerable if I don't update OpenSSH immediately?

    Why wouldn't you though? All it takes is an apt/dnf upgrade openssh

    Plot twist: They're running Gentoo.

    Thanked by (2)tmntwitw bliss
  • I'm running on Debian Buster.

  • edited July 4

    @aRNoLD said:
    I'm running on Debian Buster.

    Excellent, @aRNoLD, excellent. That's the only thing that has bothered me for years. What version of Debian does Arnold run?
    Now that I know, I can die peacefully.

    Not so soon!

  • @yoursunny said:
    Life is too short to upgrade OpenSSH.

    Just use Dropbear

    Thanked by (2)yoursunny root

    youtube.com/watch?v=k1BneeJTDcU

  • You guys never have any good news...

    Artificial intelligence is no match for our natural stupidity.
    Time flies like an arrow; fruit flies like a banana.

  • edited July 9

    @Neoon said:

    @teamacc said:

    @Neoon said:

    @teamacc said:

    @Neoon said:
    Apparently it takes hours to exploit this on 32bit machines, tested with 10ms jitter.
    Roughly 10k retries until successful exploitation.

    On 64bit, apparently a week.
    But my guess, the more unstable the network is, the further away the target is, the more retries you have to do.

    Unlikely that random machines are getting exploited, more like targeted attacks.
    Still patch it though.

    If you know what dc your target is in, you could get a box in there as well and minimize jitter, right? That should cut down on the amount of attempts to make drastically.

    The more oversold the Node is, the harder it should be too.
    All the CPU Steal the sshd deamon is hit with, good luck your your timing attacks bro.

    I've never felt as safe as with my @c1vhosting vps.

    The more downtime you have, the safer it should be to.
    Premium @VirMach

    That's a very interesting theory!
    The more the downtime, the safer the server. :relieved:
    Cold servers, operated only when they're needed. If any.
    Plus it reduces mean time befrore failure and cuts down on energy bill.

Sign In or Register to comment.