Any information on regresSSHion, an OpenSSh vulnerability?

Hi,
I read OpenSSh versions 8.5p1 to 9.8 are vulnerable to a certain type of attack called regreSSHion. First OpenSSh version with fix is said to be 9.8p1 .

Just did an opensuse Tumbleweed update and have

ssh -V
OpenSSH_9.6p1, OpenSSL 3.1.4 24 Oct 2023

Hm, would somebody know, if the opensuse distribution is somehow safe because the scenario for the attack is not met or, if it is not safe, when to expect the update?

Thanks and regards.

  • Exploitation for AMD64 appears to be not practical at this time.

The vast majority of Server and Desktop Linux are unaffected. There will be an updated SSH on Tumbleweed at some point.

1 Like

@smoothtux is ssh exposed to the internet?

https://bugzilla.opensuse.org/show_bug.cgi?id=CVE-2024-6387

-------------------------------------------------------------------
Mon Jul  1 07:50:28 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>

- Add patch to fix a race condition in a signal handler by removing
  the async-signal-unsafe code (CVE-2024-6387, bsc#1226642):
  * fix-CVE-2024-6387.patch

That’s from the devel repo, and the “fixed” version is on it’s way to Factory.

A good reason to get rid of 32bit…

This is a timing issue, and exploitation is not easily reproducible but takes about 10,000 attempts on x86 (32-bit).

It appears that update for both Leap and Tumbleweed are now live through the :Update repositories.

1 Like

Thanks for the lightning fast replies!

And yes, lost 32bit restriction out of sight. So 64bit is correctly unpractical, if you like to hack a specific site. It just feels still bad, if someone picks you at random and lands a “lucky punch”. So good to know the fixes are under way. And yes, just checked ssh and not sshd. But checking ssh did not require sudo …

Thanks again!

And here I was, wondering about that update to openssh this morning.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.