perfsonar-user - [perfsonar-user] Critical SSH Vulnerability - CVE-2024-6387
Subject: perfSONAR User Q&A and Other Discussion
List archive
- From: Mark Feit <>
- To: "" <>, "" <>
- Subject: [perfsonar-user] Critical SSH Vulnerability - CVE-2024-6387
- Date: Mon, 1 Jul 2024 15:46:15 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internet2.edu; dmarc=pass action=none header.from=internet2.edu; dkim=pass header.d=internet2.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=65HQEEKS+BtW56TtmU+Nmbh4YaK1QYzy7qyvxnn/niw=; b=DG1Yej3L69E+i7gzS1keFEtLz9wYyQjX9f7YUazgJ8ZzFR5CIIMuLUi3kpa/tF4u1VlpRbYp1bjHyfe7iDxZl6c3i5CvmqfQkr5vHIzADkr+LBFpmQB33QYnPAoK/z7CIeYAsOQWG/0xCOY3MwZOj2NxVMZFBUcgEbzjbIIiApBg9Ug8jN0JdskKyCXQpakyxek96j9/FgFVSw6fq7TRhxXGzr+H7fyIoOOPp+sqoAGqy8/ZJVTUiFQqNASzZmA57MTZEZKEA3Yr8t6X9mmJDbIDgWe+eh0lWC+2rNmDcxLTqXbwWFcEU11Mekp0Mc8rgYL4MCIs6/tm3m6rlX/dkw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GitV+SUsk19cD3/bR3mKNH6SfSe85nbeDNMFZlfKhCrjp8RcdwdT6uN5ebcrxBb+TePXorNc9qZ1rWln4Vs3F0tVuQsqNHZWnojvNZU3b5h6S1XNKOQfJmZyqovFmY98rkZCfNsnPYbFzHRX3GX6y8mY3ILCrIaJMEWBWZatH5SHI4gbBVc/LchdyZA4TSQ1RK4xMl7YhR/uk9O3PBlI1Qd8t6u2zg/9eUKCf24rQuLWt91NNVQuA0YOlPaaorK+KP0u+pR8DNB3CrGae3g6NsRMS5AhFdyQygy/4ttzyS9Mvl4C9B1JDSXzThUt1MIB6+ClnSrENTSCOKEO30EoWA==
|
A new, critical remote code execution (RCE) vulnerability in OpenSSH has been discovered and disclosed: https://www.cve.org/CVERecord?id=CVE-2024-6387
At this writing, all perfSONAR systems built on bare metal or VMs are vulnerable. The Docker container does not run SSHD and is not affected.
The developers of OpenSSH have released a patch correcting it as version 9.8p1. Once that filters through to the distributions for the operating systems we support, systems with automatic updates enabled will self-upgrade. Systems without it will need to be upgraded manually.
Until then, it is strongly recommended that the interim fix described below be applied to affected perfSONAR systems. Note that this will make the SSH service vulnerable to a denial-of-service attack by making it easy for an attacker to consume the maximum number of startup connections. In the short term, this is a safer alternative to leaving it vulnerable to a RCE attack.
To prevent this vulnerability from being exploited, reconfigure SSHD on your systems as follows:
# echo 'LoginGraceTime 0' > /etc/ssh/sshd_config.d/cve-2024-6387.conf # systemctl restart sshd
After OpenSSH has been upgraded to at least 9.8p1, the configuration can be removed:
# rm -f /etc/ssh/sshd_config.d/cve-2024-6387.conf # systemctl restart sshd
If you have questions, please drop the development team a line at .
--Mark
|
- [perfsonar-user] Critical SSH Vulnerability - CVE-2024-6387, Mark Feit, 07/01/2024
Archive powered by MHonArc 2.6.24.