Skip to Content.
Sympa Menu

perfsonar-announce - [perfsonar-announce] Critical SSH Vulnerability - CVE-2024-6387

Subject: perfSONAR Announcements

List archive

[perfsonar-announce] Critical SSH Vulnerability - CVE-2024-6387


Chronological Thread 
  • From: Mark Feit <>
  • To: "" <>, "" <>
  • Subject: [perfsonar-announce] Critical SSH Vulnerability - CVE-2024-6387
  • Date: Mon, 1 Jul 2024 15:46:15 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internet2.edu; dmarc=pass action=none header.from=internet2.edu; dkim=pass header.d=internet2.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=65HQEEKS+BtW56TtmU+Nmbh4YaK1QYzy7qyvxnn/niw=; b=DG1Yej3L69E+i7gzS1keFEtLz9wYyQjX9f7YUazgJ8ZzFR5CIIMuLUi3kpa/tF4u1VlpRbYp1bjHyfe7iDxZl6c3i5CvmqfQkr5vHIzADkr+LBFpmQB33QYnPAoK/z7CIeYAsOQWG/0xCOY3MwZOj2NxVMZFBUcgEbzjbIIiApBg9Ug8jN0JdskKyCXQpakyxek96j9/FgFVSw6fq7TRhxXGzr+H7fyIoOOPp+sqoAGqy8/ZJVTUiFQqNASzZmA57MTZEZKEA3Yr8t6X9mmJDbIDgWe+eh0lWC+2rNmDcxLTqXbwWFcEU11Mekp0Mc8rgYL4MCIs6/tm3m6rlX/dkw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GitV+SUsk19cD3/bR3mKNH6SfSe85nbeDNMFZlfKhCrjp8RcdwdT6uN5ebcrxBb+TePXorNc9qZ1rWln4Vs3F0tVuQsqNHZWnojvNZU3b5h6S1XNKOQfJmZyqovFmY98rkZCfNsnPYbFzHRX3GX6y8mY3ILCrIaJMEWBWZatH5SHI4gbBVc/LchdyZA4TSQ1RK4xMl7YhR/uk9O3PBlI1Qd8t6u2zg/9eUKCf24rQuLWt91NNVQuA0YOlPaaorK+KP0u+pR8DNB3CrGae3g6NsRMS5AhFdyQygy/4ttzyS9Mvl4C9B1JDSXzThUt1MIB6+ClnSrENTSCOKEO30EoWA==

A new, critical remote code execution (RCE) vulnerability in OpenSSH has been discovered and disclosed:  https://www.cve.org/CVERecord?id=CVE-2024-6387

 

At this writing, all perfSONAR systems built on bare metal or VMs are vulnerable.  The Docker container does not run SSHD and is not affected.

 

The developers of OpenSSH have released a patch correcting it as version 9.8p1.  Once that filters through to the distributions for the operating systems we support, systems with automatic updates enabled will self-upgrade.  Systems without it will need to be upgraded manually.

 

Until then, it is strongly recommended that the interim fix described below be applied to affected perfSONAR systems.  Note that this will make the SSH service vulnerable to a denial-of-service attack by making it easy for an attacker to consume the maximum number of startup connections.  In the short term, this is a safer alternative to leaving it vulnerable to a RCE attack.

 

To prevent this vulnerability from being exploited, reconfigure SSHD on your systems as follows:

 

# echo 'LoginGraceTime 0' > /etc/ssh/sshd_config.d/cve-2024-6387.conf

# systemctl restart sshd

 

After OpenSSH has been upgraded to at least 9.8p1, the configuration can be removed:

 

# rm -f /etc/ssh/sshd_config.d/cve-2024-6387.conf

# systemctl restart sshd

 

 

If you have questions, please drop the development team a line at .

 

--Mark



  • [perfsonar-announce] Critical SSH Vulnerability - CVE-2024-6387, Mark Feit, 07/01/2024

Archive powered by MHonArc 2.6.24.

Top of Page