Update your OpenSSH server. NOW.
OpenSSH has a RCE vulnerability (https://www.openssh.com/releasenotes.html):
A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon.
Detailed info: https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
Debian stable already has a patched version (1:9.2p1-2+deb12u3).
(Yes, this was already posted on the OGF, but maybe not everyone noticed it.)
cpu_logger | Recommended providers: Layer7, dataforest (Avoro/PHP-Friends), @host_c
Comments
Life is too short to upgrade OpenSSH.
HostBrr aff best VPS; VirmAche aff worst VPS.
Unable to push-up due to shoulder injury 😣
More info (probably) can be found here, but the week is too busy, so I didn't manage to have even a briefest look into all this:
Last night I worked on upgrading all my servers. Damn you hackers!
Apparently it takes hours to exploit this on 32bit machines, tested with 10ms jitter.
Roughly 10k retries until successful exploitation.
On 64bit, apparently a week.
But my guess, the more unstable the network is, the further away the target is, the more retries you have to do.
Unlikely that random machines are getting exploited, more like targeted attacks.
Still patch it though.
Free NAT KVM | Free NAT LXC | Bobr
I've set up a whitelist in firewall, so is my VPS vulnerable if I don't update OpenSSH immediately?
MicroLXC is lovable. Uptime of C1V
From a security stance still update
Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?
If you know what dc your target is in, you could get a box in there as well and minimize jitter, right? That should cut down on the amount of attempts to make drastically.
Hey teamacc. You're a dick. (c) Jon Biloh, 2020.
The more oversold the Node is, the harder it should be too.
All the CPU Steal the sshd deamon is hit with, good luck your your timing attacks bro.
Free NAT KVM | Free NAT LXC | Bobr
I've never felt as safe as with my @c1vhosting vps.
Hey teamacc. You're a dick. (c) Jon Biloh, 2020.
The more downtime you have, the safer it should be to.
Premium @VirMach
Free NAT KVM | Free NAT LXC | Bobr
Why wouldn't you though? All it takes is an apt/dnf upgrade openssh
ExtraVM
Plot twist: They're running Gentoo.
I'm running on Debian Buster.
Excellent, @aRNoLD, excellent. That's the only thing that has bothered me for years. What version of Debian does Arnold run?
Now that I know, I can die peacefully.
Not so soon!
Just use Dropbear
youtube.com/watch?v=k1BneeJTDcU
You guys never have any good news...
Websites have ads, I have ad-blocker.
That's a very interesting theory!
The more the downtime, the safer the server.
Cold servers, operated only when they're needed. If any.
Plus it reduces mean time befrore failure and cuts down on energy bill.