Monday, July 1, 2024

regreSSHion: Code Execution Vulnerability in OpenSSH server (CVE-2024-6387)

The Qualys Threat Research Unit (TRU) has discovered a Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) on glibc-based Linux systems. This vulnerability has been assigned CVE-2024-6387.

The vulnerability, caused by a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems, presenting a significant security risk. This race condition affects sshd in its default configuration.


The Bitnami catalog is based on Debian, according to the Debian security tracker:

  • Debian 11 (bullseye) is not affected.

  • Debian 12 (bookworm) is affected up to version 1:9.2p1-2+deb12u3.


SSH server is installed and running in OVAs and Cloud Images for AWS, Google, and Azure Marketplaces. Bitnami Helm charts and container images are not affected. The Bitnami team is working on releasing new versions in all the Marketplaces.


See below some details about how the bundled SSH package can be upgraded to a patched version:


Fix/Mitigation

By default, OVAs and Cloud Images include the unattended-upgrades package that will try to install security updates automatically daily. However, it is possible to force the execution of the cronjob manually.


First of all, verify you are running an affected version of the openssh package as shown below


$ sudo dpkg -l | grep ssh

ii  libssh2-1:amd64                  1.10.0-3+b1                    amd64        SSH2 client-side library

ii  openssh-client                   1:9.2p1-2+deb12u2              amd64        secure shell (SSH) client, for secure access to remote machines

ii  openssh-server                   1:9.2p1-2+deb12u2              amd64        secure shell (SSH) server, for secure access from remote machines

ii  openssh-sftp-server              1:9.2p1-2+deb12u2              amd64        secure shell (SSH) sftp server module, for SFTP access from remote machines

ii  ssh                              1:9.2p1-2+deb12u2              all          secure shell client and server (metapackage)


In case you are affected, force the unattended-upgrade execution by running the command below


$ sudo apt-get update && sudo unattended-upgrade -d


This will log new information into the /var/log/unattended-upgrades/unattended-upgrades.log and /var/log/unattended-upgrades/unattended-upgrades-dpkg.log files, where you can check if the OpenSSH service has been updated and the new version it has installed


$ grep -i ssh /var/log/unattended-upgrades/unattended-upgrades-dpkg.log

Preparing to unpack .../1-openssh-sftp-server_1%3a9.2p1-2+deb12u3_amd64.deb ...

Unpacking openssh-sftp-server (1:9.2p1-2+deb12u3) over (1:9.2p1-2+deb12u2) ...

Preparing to unpack .../2-openssh-server_1%3a9.2p1-2+deb12u3_amd64.deb ...

Unpacking openssh-server (1:9.2p1-2+deb12u3) over (1:9.2p1-2+deb12u2) ...

Preparing to unpack .../3-openssh-client_1%3a9.2p1-2+deb12u3_amd64.deb ...

Unpacking openssh-client (1:9.2p1-2+deb12u3) over (1:9.2p1-2+deb12u2) ...

Preparing to unpack .../5-ssh_1%3a9.2p1-2+deb12u3_all.deb ...

Unpacking ssh (1:9.2p1-2+deb12u3) over (1:9.2p1-2+deb12u2) ...

Setting up openssh-client (1:9.2p1-2+deb12u3) ...

Setting up openssh-sftp-server (1:9.2p1-2+deb12u3) ...

Setting up openssh-server (1:9.2p1-2+deb12u3) ...


After that, you can check the new version has been installed


$ sudo dpkg -l | grep ssh

ii  libssh2-1:amd64                  1.10.0-3+b1                    amd64        SSH2 client-side library

ii  openssh-client                   1:9.2p1-2+deb12u3              amd64        secure shell (SSH) client...

ii  openssh-server                   1:9.2p1-2+deb12u3              amd64        secure shell (SSH) server...

ii  openssh-sftp-server              1:9.2p1-2+deb12u3              amd64        secure shell (SSH) sftp...

ii  ssh                              1:9.2p1-2+deb12u3              all          secure shell client and server (metapackage)


From the client side you can check the server is returning the updated package information by running the next command


$ ssh -v <user>@<ip-address> 2>&1 | grep -i openssh

OpenSSH_9.6p1, LibreSSL 3.3.6

debug1: Local version string SSH-2.0-OpenSSH_9.6

debug1: Remote protocol version 2.0, remote software version OpenSSH_9.2p1 Debian-2+deb12u3

debug1: compat_banner: match: OpenSSH_9.2p1 Debian-2+deb12u3 pat OpenSSH* compat 0x04000000

If you have any questions about this process, please create an issue in our GitHub repository. We will be happy to help!

Updates

  • [July 13, 2024, 10:05 AM (UTC)]:
    • 130 out of 132 (98%) OVAs released
    • 131 out of 133 (98%) AWS Images released
    • 79 out of 81 (98%) Azure Images released
    • 83 out of 84 (99%) Google Images released
  • [July 11, 2024, 05:37 AM (UTC)]:
    • 130 out of 132 (98%) OVAs released
    • 131 out of 133 (98%) AWS Images released
    • 78 out of 81 (96%) Azure Images released
    • 82 out of 84 (98%) Google Images released
  • [July 9, 2024, 06:12 AM (UTC)]:
    • 129 out of 132 (98%) OVAs released
    • 130 out of 133 (98%) AWS Images released
    • 77 out of 81 (95%) Azure Images released
    • 82 out of 84 (98%) Google Images released
  • [July 3, 2024, 11:30 AM (UTC)]:
    • 129 out of 132 (98%) OVAs released
    • 129 out of 133 (98%) AWS Images released
    • 76 out of 81 (94%) Azure Images released
    • 76 out of 84 (91%) Google Images released


Copyright © 2005-2024 Broadcom.
All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.