134
Nội dung
What is the regreSSHion vulnerability ?
The regreSSHion vulnerability in OpenSSH, coded as CVE-2024-6387 , is a serious security vulnerability affecting the OpenSSH server.
Here are some important points about this error:
- Vulnerability: This is a Remote Unauthenticated Code Execution (RCE) vulnerability in the OpenSSH (sshd) server on glibc-based Linux systems. It allows attackers to remotely execute source code without authentication, and if exploited, can lead to root access.
- Impact: This vulnerability affects OpenSSH versions from 8.5p1 to 9.7p1.
- Technical details: This vulnerability stems from a race condition in OpenSSH’s signal handling. It is a regression of an older vulnerability (CVE-2006-5051), which was patched in 2006. An attacker can execute arbitrary source code with root privileges.
- Recommendation: If you are running an OpenSSH server on an affected version, you should update immediately.
Affected operating systems
- Ubuntu version 22.04 (jammy) or later – Ubuntu Security Notice
- Red Hat Enterprise Linux 9 – Red Hat Security Notice (Red Hat Enterprise Linux 6, 7, and 8 using older versions of OpenSSH are not affected)
- Debian 12 (bookworm) – Debian Security Notice
- Fedora – Fedora packages
- SUSE – SUSE Security Notice
- AWS Linux – Amazon Linux Security Center
How to update OpenSSH version to protect the server
Ubuntu OS :
Ubuntu version 22.04 (jammy): Make sure OpenSSH is updated to version OpenSSH_8.9p1 Ubuntu-3ubuntu0.10 or later.
Check current ssh version.
AZDIGI Tutorial
ssh -V
OpenSSH_8.9p1 Ubuntu-3ubuntu0.7, OpenSSL 3.0.2 15 Mar 2022
Running the command below updates the SSH version only.
AZDIGI Tutorial
apt update -y
apt-get install --only-upgrade openssh-server -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
vim-runtime
Use 'apt autoremove' to remove it.
The following additional packages will be installed:
openssh-client openssh-sftp-server
Suggested packages:
keychain libpam-ssh monkeysphere ssh-askpass molly-guard ufw
The following packages will be upgraded:
openssh-client openssh-server openssh-sftp-server
3 upgraded, 0 newly installed, 0 to remove and 22 not upgraded.
Need to get 1,379 kB of archives.
After this operation, 4,096 B disk space will be freed.
Get:1 http://mirror.viettelcloud.vn/ubuntu jammy-updates/main amd64 openssh-sftp-server amd64 1:8.9p1-3ubuntu0.10 [38.9 kB]
Get:2 http://mirror.viettelcloud.vn/ubuntu jammy-updates/main amd64 openssh-server amd64 1:8.9p1-3ubuntu0.10 [435 kB]
Get:3 http://mirror.viettelcloud.vn/ubuntu jammy-updates/main amd64 openssh-client amd64 1:8.9p1-3ubuntu0.10 [906 kB]
Fetched 1,379 kB in 0s (7,918 kB/s)
Preconfiguring packages ...
(Reading database ... 144191 files and directories currently installed.)
Preparing to unpack .../openssh-sftp-server_1%3a8.9p1-3ubuntu0.10_amd64.deb ...
Unpacking openssh-sftp-server (1:8.9p1-3ubuntu0.10) over (1:8.9p1-3ubuntu0.7) ...
Preparing to unpack .../openssh-server_1%3a8.9p1-3ubuntu0.10_amd64.deb ...
Unpacking openssh-server (1:8.9p1-3ubuntu0.10) over (1:8.9p1-3ubuntu0.7) ...
Preparing to unpack .../openssh-client_1%3a8.9p1-3ubuntu0.10_amd64.deb ...
Unpacking openssh-client (1:8.9p1-3ubuntu0.10) over (1:8.9p1-3ubuntu0.7) ...
Setting up openssh-client (1:8.9p1-3ubuntu0.10) ...
Setting up openssh-sftp-server (1:8.9p1-3ubuntu0.10) ...
Setting up openssh-server (1:8.9p1-3ubuntu0.10) ...
rescue-ssh.target is a disabled or a static unit not running, not starting it.
ssh.socket is a disabled or a static unit not running, not starting it.
Processing triggers for man-db (2.10.2-1) ...
Scanning processes...
Scanning candidates...
Scanning linux images...
Running kernel seems to be up-to-date.
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.
After running the update command and updating the SSH version, check the SSH version again.
Result:
AZDIGI Tutorial
ssh -V
OpenSSH_8.9p1 Ubuntu-3ubuntu0.10, OpenSSL 3.0.2 15 Mar 2022
Ubuntu version 24.04 (noble): Make sure OpenSSH is updated to version OpenSSH_9.6p1 Ubuntu-3ubuntu13.3 or later.
Check current ssh version.
AZDIGI Tutorial
ssh -V
OpenSSH_9.6p1 Ubuntu-3ubuntu13, OpenSSL 3.0.13 30 Jan 2024
Running the command below updates the SSH version only.
AZDIGI Tutorial
apt update -y
apt-get install --only-upgrade openssh-server -y
Result:
AZDIGI Tutorial
ssh -V
OpenSSH_9.6p1 Ubuntu-3ubuntu13.3, OpenSSL 3.0.13 30 Jan 2024
Almalinux OS 9 operating system
Make sure OpenSSH is updated to version openssh-8.7p1-38.el9.alma.2 or later.
If the new Almalinux OS 9 operating system has just been installed, you can run the command below to update the operating system, including the OpenSSH version.
AZDIGI Tutorial
dnf update -y
Result:
AZDIGI Tutorial
rpm -q openssh-server
openssh-server-8.7p1-38.el9.alma.2.x86_64
Rocky Linux 9 operating system
Make sure OpenSSH is updated to version openssh-8.7p1-38.el9_4 or later.
Check current ssh version.
AZDIGI Tutorial
rpm -q openssh-server
openssh-server-8.7p1-34.el9.x86_64
Reference link here :
Run the command below to update the SSH version.
AZDIGI Tutorial
dnf install rocky-release-security -y
dnf config-manager --disable security-common
dnf --enablerepo=security-common update openssh\*
Note: During the installation of openssh, the service will automatically restart.
Result:
AZDIGI Tutorial
rpm -q openssh
openssh-8.7p1-38.el9_4.1.x86_64
Debian operating system
Debian version 12 (bookworm): Make sure OpenSSH is updated to version OpenSSH_9.2p1 Debian-2+deb12u3 or later.
Check current ssh version.
AZDIGI Tutorial
ssh -V
OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.11 19 Sep 2023
Run the command below to update the SSH version.
AZDIGI Tutorial
apt update -y
apt-get install --only-upgrade openssh-server -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libssl3 openssh-client openssh-sftp-server openssl ssh
Suggested packages:
keychain libpam-ssh monkeysphere ssh-askpass molly-guard ufw
The following packages will be upgraded:
libssl3 openssh-client openssh-server openssh-sftp-server openssl ssh
6 upgraded, 0 newly installed, 0 to remove and 29 not upgraded.
Need to get 5,126 kB of archives.
After this operation, 1,024 B of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main amd64 libssl3 amd64 3.0.13-1~deb12u1 [2,022 kB]
Get:2 http://security.debian.org/debian-security bookworm-security/main amd64 openssh-sftp-server amd64 1:9.2p1-2+deb12u3 [65.8 kB]
Get:3 http://security.debian.org/debian-security bookworm-security/main amd64 openssh-server amd64 1:9.2p1-2+deb12u3 [456 kB]
Get:4 http://security.debian.org/debian-security bookworm-security/main amd64 openssh-client amd64 1:9.2p1-2+deb12u3 [991 kB]
Get:5 http://security.debian.org/debian-security bookworm-security/main amd64 ssh all 1:9.2p1-2+deb12u3 [174 kB]
Get:6 http://deb.debian.org/debian bookworm/main amd64 openssl amd64 3.0.13-1~deb12u1 [1,418 kB]
Fetched 5,126 kB in 0s (15.4 MB/s)
apt-listchanges: Reading changelogs...
Preconfiguring packages ...
(Reading database ... 34060 files and directories currently installed.)
Preparing to unpack .../0-libssl3_3.0.13-1~deb12u1_amd64.deb ...
Unpacking libssl3:amd64 (3.0.13-1~deb12u1) over (3.0.11-1~deb12u2) ...
Preparing to unpack .../1-openssh-sftp-server_1%3a9.2p1-2+deb12u3_amd64.deb ...
Unpacking openssh-sftp-server (1:9.2p1-2+deb12u3) over (1:9.2p1-2+deb12u2) ...
Preparing to unpack .../2-openssh-server_1%3a9.2p1-2+deb12u3_amd64.deb ...
Unpacking openssh-server (1:9.2p1-2+deb12u3) over (1:9.2p1-2+deb12u2) ...
Preparing to unpack .../3-openssh-client_1%3a9.2p1-2+deb12u3_amd64.deb ...
Unpacking openssh-client (1:9.2p1-2+deb12u3) over (1:9.2p1-2+deb12u2) ...
Preparing to unpack .../4-openssl_3.0.13-1~deb12u1_amd64.deb ...
Unpacking openssl (3.0.13-1~deb12u1) over (3.0.11-1~deb12u2) ...
Preparing to unpack .../5-ssh_1%3a9.2p1-2+deb12u3_all.deb ...
Unpacking ssh (1:9.2p1-2+deb12u3) over (1:9.2p1-2+deb12u2) ...
Setting up libssl3:amd64 (3.0.13-1~deb12u1) ...
Setting up openssl (3.0.13-1~deb12u1) ...
Setting up openssh-client (1:9.2p1-2+deb12u3) ...
Setting up openssh-sftp-server (1:9.2p1-2+deb12u3) ...
Setting up openssh-server (1:9.2p1-2+deb12u3) ...
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:iG5DB87DB7MSlbYXqL1F914HfKndShdtq0ih1sVgQRs root@testaapanel (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:xARV4j/jUfgWy2tI65y+5/GBgdrLX1cUVtb8H7OHBNQ root@testaapanel (ED25519)
rescue-ssh.target is a disabled or a static unit not running, not starting it.
ssh.socket is a disabled or a static unit not running, not starting it.
Setting up ssh (1:9.2p1-2+deb12u3) ...
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for libc-bin (2.36-9+deb12u7) ...
Result:
AZDIGI Tutorial
ssh -V
OpenSSH_9.2p1 Debian-2+deb12u3, OpenSSL 3.0.13 30 Jan 2024
If you are running an OpenSSH server on an affected version, update immediately to fix this vulnerability.
Hope you found useful information in this article.
If you need assistance, you can contact support in the ways below:
- Hotline 247: 028 888 24768
- Ticket/Email: You use the email to register for the service and send it directly to: support@azdigi.com.
