New SSH vulnerability

A vulnerability (CVE-2024-6387) has been discovered in OpenSSH by the Qualys Threat Research Unit (TRU). Successful exploitation of this vulnerability allows a remote, unauthenticated attacker to execute arbitrary code as root on the target machine. For more details on this vulnerability, see https://www.openssh.com/txt/release-9.8

2 Likes

Any word about this from Sangoma ?

I might well be incorrect, but apparently a MITM bad guy able to uninterruptably watch traffic to one particular host for several hours ‘MIGHT’ observe an irregularity in a keypress sequence timing that possibly could iigger another process to try and decode that password every-time the non root user logs in and escalate to root.

So as the doc said “well. don’t that”. Personally, I only allow public keys on an obscure port simply because it’s quieter, but further, allowing the root user to password login kinda makes it trivial for the MITM to pwn you :wink:

(Probably not something most FreePBX’ers need wet their knickers about until Sangoma patches their OS (Debian already patched) :wink: )

Ref:

1 Like

This vulnerability impacts:

  • Open SSH versions earlier than 4.4p1
  • Open SSH version between 8.5p1-9.8p1

@wifx what SSH version do you have?

ssh -V

root@freepbx17:~# ssh -V
OpenSSH_9.2p1 Debian-2+deb12u3, OpenSSL 3.0.13 30 Jan 2024

From an install of “bookworm” on DigitalOcean

@brk you should be fine. Your version of 9.2p1-2+deb12u3 is fixed.

https://security-tracker.debian.org/tracker/CVE-2024-6387

2 Likes

FreePBX 16

[root@freepbx ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017

Version is old, but is not affected by the above CVE

FreePBX 17

As per above, the system could be affected, and apt-get update is required.
Fixed version in Deb12 is 9.2p1-2+deb12u3

We are putting all our efforts to get FreePBX 17 and PBXact 17 to GA.
We are not going to be doing a major OS update on FreePBX 16.

2 Likes

Just checking, make sure Debian bookworm has security ‘debs’ enabled in apt to get the patch

deb http://security.debian.org/debian-security bookworm-security main contrib non-free
deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free

I did an update && upgrade. and reboot. Its FreePBx 17 Debian 12
ssh version now is like you said.
However, upgrade asked for new php version and new php.ini.
I answered with No (keep the installed version).
What I now get minutewise:
Cron asterisk@cent2 [ -e /usr/sbin/fwconsole ] && /usr/sbin/fwconsole job --run --quiet 2>&1 > /dev/null
Cannot load the ionCube PHP Loader - it was already loaded

Any idea how to solve this?

o.k. already answered:
Please remove or comment on the below line from /etc/php/8.2/apache2/php.ini and /etc/php/8.2/cli/php.ini files and give it a try. thanks
zend_extension=/usr/lib64/php/20220829/ioncube_loader_lin_8.2.so

Was it right to say “No” on upgrade question “upgrade y or keep current version n”