undefined | Better HN

0 pointscrispyambulance1y ago0 comments

I am not embarrassed to say... is there anything in there that someone who runs a server with ssh needs to know?

I literally can't make heads or tails of the risk here. All I see is the very alarming and scary words "backdoor" and "ssh server" in the same sentence.

If I am keeping stuff up to date, is there anything at all to worry about?

0 comments

pxx1y ago

You should probably not be running your own publicly-accessible ssh servers if this email is not sufficient to at least start figuring out what your next actions are.

The email itself comes with an evaluation script to figure out if anything is currently vulnerable to specifically this discovery. For affected distributions, openssh servers may have been backdoored for at least the past month.

crispyambulanceOP1y ago

Yet here I am, getting up every morning and getting dressed and tying my shoes all by myself, and then maintaining a small number of servers that have openssh on them!

Thanks, though, for pointing out the little script at the very end of that technical gauntlet of an email intended for specialists. I had gotten through the first 3 or 4 paragraphs and had given up.

What I should have done is just googled CVE-2024-3094, whatever, still glad I asked.

ShamelessC1y ago

> You should probably not be running your own publicly-accessible ssh servers if this email is not sufficient to at least start figuring out what your next actions are.

That seems like a fairly unreasonable stance.

frenchman991y ago

Not at all. For instance, I don't know what the next steps are, but I run SSH servers behind Wireguard, exactly to prevent them being accessible in the case of such events. Wireguard is simple to setup, even if I lack the expertise to understand exactly how to go forward.

dualbus1y ago

> I literally can't make heads or tails of the risk here. All I see is the very alarming and scary words "backdoor" and "ssh server" in the same sentence.

From what I've read, there is still lots of unknowns about the scope of the problem. What has been uncovered so far indicates it involves bypassing authentication in SSH.

In https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78b..., Sam James points out

> If this payload is loaded in openssh sshd, the RSA_public_decrypt function will be redirected into a malicious implementation. We have observed that this malicious implementation can be used to bypass authentication. Further research is being done to explain why.

Thus, an attacker maybe could use this to connect to vulnerable servers without needing to authenticate at all.

crispyambulanceOP1y ago

Thanks, that gist is a really lucid explanation for normal folks.

j / k navigate · click thread line to collapse

0 comments

pxx1y ago

You should probably not be running your own publicly-accessible ssh servers if this email is not sufficient to at least start figuring out what your next actions are.

crispyambulanceOP1y ago

Yet here I am, getting up every morning and getting dressed and tying my shoes all by myself, and then maintaining a small number of servers that have openssh on them!

Thanks, though, for pointing out the little script at the very end of that technical gauntlet of an email intended for specialists. I had gotten through the first 3 or 4 paragraphs and had given up.

What I should have done is just googled CVE-2024-3094, whatever, still glad I asked.

ShamelessC1y ago

> You should probably not be running your own publicly-accessible ssh servers if this email is not sufficient to at least start figuring out what your next actions are.

That seems like a fairly unreasonable stance.

frenchman991y ago

dualbus1y ago

> I literally can't make heads or tails of the risk here. All I see is the very alarming and scary words "backdoor" and "ssh server" in the same sentence.

From what I've read, there is still lots of unknowns about the scope of the problem. What has been uncovered so far indicates it involves bypassing authentication in SSH.

In https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78b..., Sam James points out

Thus, an attacker maybe could use this to connect to vulnerable servers without needing to authenticate at all.

crispyambulanceOP1y ago

Thanks, that gist is a really lucid explanation for normal folks.

j / k navigate · click thread line to collapse