this post was submitted on 01 Jul 2024
246 points (98.8% liked)

Linux

5340 readers
205 users here now

A community for everything relating to the linux operating system

Also check out [email protected]

Original icon base courtesy of [email protected] and The GIMP

founded 1 year ago
MODERATORS
all 39 comments
sorted by: hot top controversial new old
[–] [email protected] 81 points 4 months ago (2 children)

They have named this vulnerability "regreSSHion", since it represents the re-emergence of a bug that was previously patched in 2006

That's a great name

[–] runeko 7 points 4 months ago

Agreed, but I had to disable autocorrect to type it on my phone.

[–] [email protected] 2 points 4 months ago

Playful and descriptive!

[–] [email protected] 54 points 4 months ago

The new vulnerability, assigned CVE-2024-6387, allows for unauthenticated remote code execution (RCE) with root privileges, posing a severe threat to affected systems.

Oh, fuck. Guess this is my day now.

[–] [email protected] 38 points 4 months ago (1 children)

If I'm not mistaken, it seems like this is a timing attack and you need a lot of attack attempts to make it work. If you have like a fail2ban rule for ssh it should mitigate this attack to quite some degree, right? (Of course updating would still be the best).

[–] [email protected] 12 points 4 months ago (1 children)

While statistically unlikely, it would be possible to exploit the vulnerability on the first attempt

[–] [email protected] 4 points 4 months ago

That's true.

[–] [email protected] 33 points 4 months ago

Looks like Debian and Ubuntu have shipped patches, but I'm not seeing them show up in the RHEL-derivatives just yet, but I'm sure that'll be soon(TM).

[–] [email protected] 27 points 4 months ago (1 children)

the in depth technical details

TL;DR; sigalarm handler calls syslog which isn't safe to call from a signal handler context.

Their example exploit needed about 10k attempts to get a remote shell so it's not fast or quiet, but a neat find regardless

[–] bitfucker 5 points 4 months ago

I can already imagine the log generated will be a hint. We usually automate those anyway as it is closer to (D)DoS too.

[–] [email protected] 23 points 4 months ago (4 children)

It's shit like this that makes me convinced that governments can easily hack into pretty much every system

[–] [email protected] 13 points 4 months ago

I mean, on TV every character seems to be able to hack any system in a few seconds.

They clearly must have done some research by watching some NSA hackers who can hack every system.

[–] [email protected] 9 points 4 months ago

They probably can. jut every hack done has the possibility of spoiling the exploit. A good exploit can cost a million $. So if hacking you is worth more then say 100k to them, you're in trouble. Otherwise they will only target you with everyday surveilance.

[–] asyncrosaurus 7 points 4 months ago (1 children)

Most can't, but that's why clandestine cyber-intelligence firms like NSO group exist.

[–] [email protected] 7 points 4 months ago

That's a spooky one. From first glance - 500 employees and zero click takeovers of phones? Yikes. Makes me want to not have a phone... Ofc Google/Apple/USA have had this capacity for ages

[–] [email protected] 5 points 4 months ago (2 children)

Well only if they know about it before it gets patched...

[–] [email protected] 10 points 4 months ago (1 children)

That's why there is a huge market for 0-day exploits.

[–] [email protected] 3 points 4 months ago (1 children)

Isn't there attempts to sneak in vulnerabilities with new commits?

[–] [email protected] 6 points 4 months ago* (last edited 4 months ago)

Yes, targeted attacks like that definitely exist, most famously maybe the most recent social pressure to merge a vulnerability to the xz library by actor "Jia Tan":

https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/

This started a whole discussion about relying on (often unpaid) volunteer work for critical systems and the pressure and negativity these people face, which is a discussion that was absolutely needed, and which we are still lightyears away from fixing.

Currently, open source is still treated like this: https://trac.ffmpeg.org/ticket/10341

(I can only recommend reading the whole story around this issue, which boils down to Microsoft admitting they rely on an open source project for something they consider critical to their customers, but not willing to pay the maintainer a bounty for fixing the issue)

[–] [email protected] 6 points 4 months ago

The NSA is doubtless sitting on a trove of these types of vulnerabilities to use when they really need access to something.

[–] namingthingsiseasy 22 points 4 months ago (1 children)

The full write-up can be found here and should be fairly readable for users of this forum.

Some quotes that I thought were interesting:

With a heap corruption as a primitive, two FILE structures malloc()ated in the heap, and 21 fixed bits in the glibc's addresses, we believe that this signal handler race condition is exploitable on amd64 (probably not in ~6-8 hours, but hopefully in less than a week). Only time will tell.

So 64-bit systems seem to be a bit more resistant to this it seems? But I can't be completely sure given how much I've read about this yet.

This vulnerability is exploitable remotely on glibc-based Linux systems, where syslog() itself calls async-signal-unsafe functions (for example, malloc() and free()): an unauthenticated remote code execution as root, because it affects sshd's privileged code, which is not sandboxed and runs with full privileges. We have not investigated any other libc or operating system; but OpenBSD is notably not vulnerable, because its SIGALRM handler calls syslog_r(), an async-signal-safer version of syslog() that was invented by OpenBSD in 2001.

It seems that non glibc-based systems also could be vulnerable, but they have not yet tried to demonstrate it yet (or have tried and not been successful).

And OpenBSD wins again it seems.

[–] [email protected] 5 points 4 months ago

Yeah they were experimenting with 64bit exploitation when this signal handler got some focus regarding a (likely related) deadlock so they rushed to disclose their findings to the project to minimise the possibility of having eyes on this vulnerability

[–] [email protected] 17 points 4 months ago

Good thing I’m on vacation for the next week and have my PC turned off. Remind me to update on Saturday

[–] FizzyOrange 12 points 4 months ago

Someone find the commit where they accidentally removed this critical component 😄

[–] [email protected] 11 points 4 months ago (2 children)

The fun thing about regressions: these things affects you if your system is new enough that it has the behaviour reintroduced. Which means you are less likely to be hit if you are using Debian Stable (or even Oldstable) than, say, Sid (unpatched at the time of writing this comment) or Arch btw.

[–] [email protected] 3 points 4 months ago

My OpenMediaVault machine (based on Debian Oldstable) uses OpenSSH 8.4p1, so it's old enough not to have the bug

[–] [email protected] 9 points 4 months ago (1 children)

I set up a wireguard VPN network between my computers and servers, and then firewalled off all services except Wireguard, and a few services on one server. That one server is my weak point, but even it has sshd firewalled off except through the Wireguard subnet.

It's stupidly easy to set up WG subnetworks. I'm not a networking guy, and it was trivial for me to do. If u can run an ssh server, you can set up a Wireguard subnet: just do it.

[–] [email protected] 9 points 4 months ago (2 children)

Yeah. Some services you kinda want accessible directly, but ssh really isn't one of them. Even though it should be safe, as that's it's intended purpose, putting a VPN in front of it makes a lot of sense, especially with how easy it is to setup these days. Anything used for administration is systems should be behind one.

[–] [email protected] 8 points 4 months ago

Wireguard really changed the landscape, for me, and my entire approach to networking. Suddenly, VPNs became fast and easy, and where previously impractical for casual (hobbyist) admins, it made creating enterprise-grade secure subnets easy. It's astonishingly stable and reliable, such that my initial concerns about cutting off all access except through the VPN - once a truly nerve-wracking concept - is now a no-brainer. It's made my network administration easier and more secure. My firewalls are simpler.

Wireguard is one of the biggest high-impact, low-visibility networking game changers I've seen in decades.

[–] [email protected] 5 points 4 months ago

There is definitely a shift away from traditional VPNs these days since VPN tunnels tend to be more open and permissive. You can obviously secure a tunnel and limit network access, but you are still directly accessing the networks and resources that you do allow, remotely.

I was running Kasm for a while and I really liked this approach to secure remote access. I could effectively spin up a Ubuntu docker image and access it remotely through the browser. Secured the web portal with my IdP which requires MFA and I would login remotely and launch various apps and desktops.

They are non persistent in nature, so once you log off and destroy the instance you would effectively get a new desktop the next login.

Generally works pretty well

[–] [email protected] 7 points 4 months ago

Limit source ip access in the Firewall is my way to avoid this.

[–] [email protected] 3 points 4 months ago

Jokes on you, I run Centos 7!

[–] [email protected] 0 points 4 months ago* (last edited 4 months ago) (3 children)

Maybe it is time to move to something new

Also why does sshd run as root. I deal like ssh could use some least privilege

[–] [email protected] 10 points 4 months ago* (last edited 4 months ago) (1 children)

When you log in to an ssh terminal for a shell, it has to launch the shell process as the desired user. Needs to be root to do that.

SSH has been around a long time. It's not perfect, but it's mostly validated. Anything new won't have that history.

[–] [email protected] 1 points 4 months ago (1 children)

Can't it use built in OS mechanisms for that? Surely you could figure out a way to only give it permissions it needs. Maybe break it up into two separate processes.

[–] [email protected] 1 points 4 months ago

That just sounds like root with extra steps (trying to implement OS security policies in a remote terminal utility)

[–] [email protected] 9 points 4 months ago* (last edited 4 months ago)

Preliminary note: OpenSSH is one of the most secure software in the world; this vulnerability is one slip-up in an otherwise near-flawless implementation. Its defense-in-depth design and code are a model and an inspiration, and we thank OpenSSH's developers for their exemplary work.

[–] [email protected] 1 points 4 months ago

Root because it use port 22. I think anything lower than port 1024 requires it. But if this is true, then you can try change the port it is listening to something higher than that.