Critical Security Advisory: regreSSHion (CVE-2024-6387)

Security Researchers at Qualys have discovered a flaw in OpenSSH that could lead to elevated remote code execution.

Photo by Batyrkhan Shalgimbekov / Unsplash

UPDATE

Fedora has issued a patch for this bug, please make sure your system is up to date. Check the app store in your edition for more information.

What Happened?

Researchers discovered a flaw in sshd that would allow an attacker to remotely execute code as root. This is actually an 18 year old bug (CVE-2006-5051) that regressed in OpenSSH 8.5p1.

Who's Affected?

This flaw appeared in 2020, meaning that all versions of Ultramarine Linux pre-40 are affected. Starting in Ultramarine Linux 40, we started disabling the SSH server by default, mitigating this issue for new installs. UM40 users who upgraded from an older release or converted from Fedora may still be at risk.

What Can I Do to Protect Myself?

The best mitigation is disabling the SSH server on your system.

Simply run

systemctl disable sshd

You'll be prompted for your password with a popup.

This should already be done on Ultramarine 40, but if you're storing sensitive data, it's good to check.

What If I Want to Keep the SSH Server?

It is recommended to update OpenSSH to version 9.8 or newer ASAP.
You may also set LoginGraceTime to 0 in /etc/ssh/sshd_config. However this makes sshd vulnerable to a denial of service attack (by allowing the quick exhaustion of all MaxStartups connections)

What is Fyra Labs Doing to Protect Me?

Traditionally this is a package that we rely on Fedora to provide, but due to the nature of this issue and our infrastructure's reliance on it we will be issuing a patch in Terra soon. Please keep your system up to date and stay tuned for further updates.

UPDATE
We will not be publishing the patch in Terra, Fedora is working on it!