undefined | Better HN

0 pointsIanvdl1y ago0 comments

> Statement

> The flaw affects RHEL9 as the regression was introduced after the OpenSSH version shipped with RHEL8 was published.

0 comments

However, we see the -D option on the listening parent:

  $ ps ax | grep sshd | head -1
     1306 ?        Ss     0:01 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

As mentioned elsewhere here, is -D sufficient to avoid exploitation, or is -e necessary as well?

  $ man sshd | sed -n '/ -[De]/,/^$/p'
     -D      When this option is specified, sshd will not
             detach and does not become a daemon.  This
             allows easy monitoring of sshd.

     -e      Write debug logs to standard error instead
             of the system log.

RHEL9 is also 64-bit only, and we see from the notice:

"we have started to work on an amd64 exploit, which is much harder because of the stronger ASLR."

On top of writing the exploit to target 32-bit environments, this also requires a DSA key that implements multiple calls to free().

There is a section on "Rocky Linux 9" near the end of the linked advisory where unsuccessful exploit attempts are discussed.

Arnavion1y ago

>As mentioned elsewhere here, is -D sufficient to avoid exploitation, or is -e necessary as well?

https://github.com/openssh/openssh-portable/blob/V_9_8_P1/ss...

sshd.c handles no_daemon (-D) and log_stderr (-e) independently. log_stderr is what is given to log_init in log.c that gates the call to syslog functions. There is a special case to set log_stderr to true if debug_flag (-d) is set, but nothing for no_daemon.

I can't test it right now though so I may be missing something.

chasil1y ago

I'm on Oracle Linux, and they appear to have already issued a patch for this problem:

  openssh-8.7p1-38.0.2.el9.x86_64.rpm
  openssh-server-8.7p1-38.0.2.el9.x86_64.rpm
  openssh-clients-8.7p1-38.0.2.el9.x86_64.rpm

The changelog addresses the CVE directly. It does not appear that adding the -e directive is necessary with this patch.

  $ rpm -q --changelog openssh-server | head -3
  * Wed Jun 26 2024 Alex Burmashev <alexander.burmashev@oracle.com> - 8.7p1-38.0.2
  - Restore dropped earlier ifdef condition for safe _exit(1) call in sshsigdie() [Orabug: 36783468]
    Resolves CVE-2024-6387

INTPenis1y ago

So in other words, -De is not a workaround. -Dde might be but it will cause more log output than is wanted.

Arnavion1y ago

-De is a workaround. -D is not.

babuskov1y ago

Speaking of Rocky 9, they suggest to get the new version from the SIG/Security repository:

https://rockylinux.org/news/2024-07-01-rocky-linux-9-cve-202...

j / k navigate · click thread line to collapse

0 comments

chasil1y ago

However, we see the -D option on the listening parent:

  $ ps ax | grep sshd | head -1
     1306 ?        Ss     0:01 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

As mentioned elsewhere here, is -D sufficient to avoid exploitation, or is -e necessary as well?

  $ man sshd | sed -n '/ -[De]/,/^$/p'
     -D      When this option is specified, sshd will not
             detach and does not become a daemon.  This
             allows easy monitoring of sshd.

     -e      Write debug logs to standard error instead
             of the system log.

RHEL9 is also 64-bit only, and we see from the notice:

"we have started to work on an amd64 exploit, which is much harder because of the stronger ASLR."

On top of writing the exploit to target 32-bit environments, this also requires a DSA key that implements multiple calls to free().

There is a section on "Rocky Linux 9" near the end of the linked advisory where unsuccessful exploit attempts are discussed.

Arnavion1y ago

>As mentioned elsewhere here, is -D sufficient to avoid exploitation, or is -e necessary as well?

https://github.com/openssh/openssh-portable/blob/V_9_8_P1/ss...

I can't test it right now though so I may be missing something.

chasil1y ago

I'm on Oracle Linux, and they appear to have already issued a patch for this problem:

  openssh-8.7p1-38.0.2.el9.x86_64.rpm
  openssh-server-8.7p1-38.0.2.el9.x86_64.rpm
  openssh-clients-8.7p1-38.0.2.el9.x86_64.rpm

The changelog addresses the CVE directly. It does not appear that adding the -e directive is necessary with this patch.

  $ rpm -q --changelog openssh-server | head -3
  * Wed Jun 26 2024 Alex Burmashev <alexander.burmashev@oracle.com> - 8.7p1-38.0.2
  - Restore dropped earlier ifdef condition for safe _exit(1) call in sshsigdie() [Orabug: 36783468]
    Resolves CVE-2024-6387

INTPenis1y ago

So in other words, -De is not a workaround. -Dde might be but it will cause more log output than is wanted.

Arnavion1y ago

-De is a workaround. -D is not.

babuskov1y ago

Speaking of Rocky 9, they suggest to get the new version from the SIG/Security repository:

https://rockylinux.org/news/2024-07-01-rocky-linux-9-cve-202...

j / k navigate · click thread line to collapse