Update your OpenSSH server. NOW.
OpenSSH has a RCE vulnerability (https://www.openssh.com/releasenotes.html):
A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon.
Detailed info: https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
Debian stable already has a patched version (1:9.2p1-2+deb12u3).
(Yes, this was already posted on the OGF, but maybe not everyone noticed it.)
cpu_logger | Recommended providers: Layer7, dataforest (Avoro/PHP-Friends), @host_c
Comments
Life is too short to upgrade OpenSSH.
Accepting submissions for IPv6 less than /64 Hall of Incompetence.
More info (probably) can be found here, but the week is too busy, so I didn't manage to have even a briefest look into all this:
☰ Probably the best Black Friday storage offers — AMD EPYC VDSes with NVMe slices (ref) from 250GB to 4TB and 500GB–10TB SAN disk. / Big HDD storage VPSes (ref) from $2.42/month per TB. / Storage dedis and hybrid VPS (SSD + HDD) are there as well.
Last night I worked on upgrading all my servers. Damn you hackers!
Stop the planet! I want to get off!
Apparently it takes hours to exploit this on 32bit machines, tested with 10ms jitter.
Roughly 10k retries until successful exploitation.
On 64bit, apparently a week.
But my guess, the more unstable the network is, the further away the target is, the more retries you have to do.
Unlikely that random machines are getting exploited, more like targeted attacks.
Still patch it though.
Free NAT KVM | Free NAT LXC | Bobr
ITS WEDNESDAY MY DUDES
I've set up a whitelist in firewall, so is my VPS vulnerable if I don't update OpenSSH immediately?
MicroLXC is lovable. Uptime of C1V
From a security stance still update
Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?
If you know what dc your target is in, you could get a box in there as well and minimize jitter, right? That should cut down on the amount of attempts to make drastically.
Hey teamacc. You're a dick. (c) Jon Biloh, 2020.
The more oversold the Node is, the harder it should be too.
All the CPU Steal the sshd deamon is hit with, good luck your your timing attacks bro.
Free NAT KVM | Free NAT LXC | Bobr
ITS WEDNESDAY MY DUDES
I've never felt as safe as with my @c1vhosting vps.
Hey teamacc. You're a dick. (c) Jon Biloh, 2020.
The more downtime you have, the safer it should be to.
Premium @VirMach
Free NAT KVM | Free NAT LXC | Bobr
ITS WEDNESDAY MY DUDES
Why wouldn't you though? All it takes is an apt/dnf upgrade openssh
ExtraVM
Plot twist: They're running Gentoo.
I'm running on Debian Buster.
Excellent, @aRNoLD, excellent. That's the only thing that has bothered me for years. What version of Debian does Arnold run?
Now that I know, I can die peacefully.
Not so soon!
Just use Dropbear
youtube.com/watch?v=k1BneeJTDcU
You guys never have any good news...
Websites have ads, I have ad-blocker.
That's a very interesting theory!
The more the downtime, the safer the server.
Cold servers, operated only when they're needed. If any.
Plus it reduces mean time befrore failure and cuts down on energy bill.