:: Re: [DNG] ..is systemd a factor her…
Top Page
Delete this message
Reply to this message
Author: Martin Steigerwald
Date:  
To: dng
Subject: Re: [DNG] ..is systemd a factor here? Nasty regreSSHion bug in OpenSSH puts roughly 700K Linux boxes at risk, Full system takeovers on the cards, for those with enough patience to pull it off
Hi Arnt. Hi.

Arnt Karlsen - 02.07.24, 06:15:19 CEST:
> ..is systemd a factor here? Nasty regreSSHion bug in OpenSSH puts
> roughly 700K Linux boxes at risk, Full system takeovers on the cards,
> for those with enough patience to pull it off:
> https://www.theregister.com/2024/07/01/regresshion_openssh/


From what I read so far: No. Not everything has to do with Systemd.

From above article:

"Damien Miller, founder of the portable OpenSSH project and maintainer
since 1999, said in an online discussion that anything running glibc is
probably vulnerable. Systems with 32-bit architectures have been proven to
be so, and 64-bitters are likely at risk too."

From what I understand Devuan thus is affected as well. Patch your systems!

Devuan 5 aka Daedalus (1:9.2p1-2+deb12u3) and Devuan Ceres (1:9.7p1-7)
have patched packages already. Devuan Excalibur / Testing to come soon,
but you can download the package for Devuan Unstable and install it on
Devuan Testing. Just switch your sources.list temporarily to Ceres.
Install the OpenSSH packages and you run a patched version (1:9.7p1-7).
Remember to switch back to Testing afterwards. Again Alpine and Void would
not be affected.

I recommend to reduce MaxSessions in /etc/ssh/sshd_config to say 3 or so on
unpatched systems. And not only on unpatched systems. The estimate of 4-8
hours or even longer is for systems which allow 100 sessions as far as I
read. Debian usually restricts to 10 sessions. if you go even lower, an
attacker needs a really long time to successfully attack with an approach
like this. So given the time needed to exploit with 10 concurrent sessions
or less… this vulnerability may be a bit overrated, *in case* you patch
your systems soon. If you leave them vulnerable for longer periods of
time… that is your risk to take.

But of course it is indeed severe. Root access by an remote attack it to
be taken serious. Just I don't think its wise to panic around like crazy.
Just do the updates!

Best,
--
Martin