SECURITY ADVISORY OpenSSH Remote Code Execution CVE-2024-6387 “regreSSHion” – update your servers ASAP

Announcements
,
1

Huge thanks to their quick actions - especially emily!

Temporary workaround with tradeoffs

Srsly remove this line after patching, it trades a remote code vulnerability for a denial of service vulnerability.

According to the Qualys report setting LoginGraceTime = 0 disable the exploitation vulnerability but makes you vulnerable to denial of service attacks.

If you consider this a worth trade-off you can do so by adding

services.openssh.settings.LoginGraceTime = 0;

to your systems config. Don’t forget to redeploy & restart the SSH servic :wink:

Original NixOS post
(Announcement copied verbatim from NixOS Discourse)

A critical‐severity OpenSSH security vulnerability has been disclosed that can lead to remote code execution as root. We have fixed this by upgrading OpenSSH on unstable and backporting a patch fix from upstream to 24.05 and 23.11, and that fix has now reached the nixos-unstable-small and nixos-24.05-small channels.

If you have an internet‐exposed server running OpenSSH that uses the small channels, you should update as soon as possible. If you’re using the standard channels, the fix should reach them in a few hours, but you should consider switching to the small channels if possible.

If you can’t update, or the fix isn’t yet on your channel, you can work around the bug by setting services.openssh.settings.LoginGraceTime = 0; in your NixOS configuration, as suggested by Qualys. Note that this makes you vulnerable to a denial of service attack, so upgrading is preferable.

If you’re on unstable, you may want to check the “Potentially-incompatible changes” section of the upstream 9.8p1 release notes ; this does not apply to the stable branches, which use a minimal patch.

You can track the availability of the fix in the release channels:

  • unstable
  • 24.05
  • 23.11 (backported as a courtesy, but out of security support as of this month; please upgrade to 24.05 ASAP)

If you use the openssh_hpn or openssh_gssapi variants, please check the main pull request for trackers.

The exploit has only currently been demonstrated in practice on 32‐bit x86 Linux systems using the deprecated OpenSSH DSA code as an exploit route. We don’t support 32‐bit x86 systems and disable the DSA code, so at the time of posting there is no publicly‐known turnkey exploit for standard NixOS, but the OpenSSH developers are confident that someone will make an exploit for 64‐bit systems , so you should not treat this as buying you more than a few days.

More information on the advisory:

5 Likes
2
3

FWIW, in nix fashion you can of course also override the package version locally:

  openssh = super.openssh.overrideAttrs (_: rec {
    version = "9.8p1";
    src = super.fetchurl {
      url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
      hash = "sha256-3YvQAqN5tdSZ37BQ3R+pr4Ap6ARh9LtsUjxJlz9aOfM=";
    };
  });

See also upstream commit openssh: 9.7p1 -> 9.8p1 · NixOS/nixpkgs@7f993cd · GitHub.

This probably will cause a local rebuild of openssh when rebuilding, just FYI.

6 Likes
4

Great point!

Update:
As of roughly 2024-07-02T20:00:00Z updates are available in nixpkgs for unstable, 24.05, and 23.11 channels.

See their post: Security advisory: OpenSSH CVE-2024-6387 “regreSSHion” – update your servers ASAP - #19 by emily - Security - NixOS Discourse

Happy patching everybody! And don’t forget the SSH in your initrd if that’s a thingy you use :wink:

2 Likes
5

Make sure to also get commit Merge pull request #323796 from r-vdp/master · NixOS/nixpkgs@cba702a · GitHub into your configuration if you use boot.initrd.network.ssh.*, otherwise the SSH server will fail to start in stage1.

Telling that from experience, had to grab and old GPU, plug in keyboard and monitor and boot the previous configuration for a homelab server of mine which has FDE and thus needs unlocking via SSH. :^)

3 Likes