[sebstefan]

>A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges.

FYI that's every version published after 2021-03-03

That's got to be 99% of all linux machines in the world with an ssh daemon running right?

https://www.openssh.com/releasenotes.html

[alright2565]

> Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept.

It's pretty bad, but not trivial to exploit, especially since most machines are 64-bit with a larger space for ASLR.

[yjftsjthsd-h]

A surprising number of systems are apparently on an old enough version to be unaffected; ex. RHEL 6-8 aren't vulnerable.

[citrin_ru]

Red Hat 8 (maintenance support until 2029) has openssh-8.0 which is too old to be affected. I suspect other LTS distro may have openssh older 8.5 too. So the number should be below 99%.

[ta1243]

> That's got to be 99% of all linux machines in the world with an ssh daemon running right?

Since 2021? Nah. 90% of my estate is ubuntu 2018 or earlier.

[cedws]

99%… that’s funny :P

[0x1ceb00da]

Using this exploit, connected non root users can gain root access. Multiple user machines are more or less a thing of the past. These days most common use case of ssh is logging in to a remote server you already own with root privileges. So most of the users are unaffected by this exploit.

[gcr]

Are you sure? The text implies that the unsafe path is getting interrupted while parsing a DSA key, which presumably occurs before authentication?

[b112]

Indeed, remote root is possible.

https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion....

[bheadmaster]

> These days most common use case of ssh is logging in to a remote server you already own with root privileges

I only see this in relatively small and "young" teams. In any bigger organization I've worked in, a new user is created for each person who uses the machine.

[withinboredom]

I have a script that looks at your github org/team and generates/updates users on-demand then lets you connect.

The script is pretty straightforward, see AuthorizedKeysCommand and https://github.com/{$user}.keys

[ta1243]

Certainly, but in my org they're trusted with sudo access (which gets logged to syslog).

[tgv]

I don't think it's best practice to give root privilege to a login account.

[Fire-Dragon-DoL]

What do you give it to?

[tgv]

To root, and you must have a sudo password to get it. It stops both hackers and colleagues who need access to the servers, but can't be trusted with root privileges.