AMI is vulnerable to the regreSSHion SSH vulnerability

buildkite / elastic-ci-stack-for-aws

An auto-scaling cluster of build agents running in your own AWS VPC

https://buildkite.com/docs/quickstart/elastic-ci-stack-aws

MIT License

417 stars 274 forks source link

AMI is vulnerable to the regreSSHion SSH vulnerability #1347

Closed noizwaves closed 4 months ago

noizwaves commented 4 months ago

Describe the bug we’re in the process of removing vulnerable SSH versions from our systems, and we noticed our Elastic CI stack based instances are running a vulnerable version (OpenSSH_8.7p1, OpenSSL 3.0.8 7 Feb 2023). We’re running the latest version of Elastic CI.

Steps To Reproduce Steps to reproduce the behavior:

Launch a Cloudformation of version 6.22.3
Connect to one of the hosts
Run ssh -V

Expected behavior The version of SSH satisfies: 8.5p1 up to, but not including, 9.8p1

Actual behaviour Version is 8.7p1

Stack parameters (please complete the following information):

AWS Region: us-west-2
Version: 6.22.3

Additional context Add any other context about the problem here.

DrJosh9000 commented 4 months ago

Hi @noizwaves, thanks for the report. It seems surprising that we'd be shipping a vulnerable version of OpenSSH, since each release is based on the latest stable Amazon Linux 2023 AMI.

ALAS-2024-649 indicates the new package version as openssh-server-8.7p1-8.amzn2023.0.11.

(It does seem confusing that they would continue to use an OpenSSH version number within the range that OpenSSH has declared to be vulnerable, but I suppose someone backported the fix.)

To check, on a fresh stack:

sh-5.2$ dnf list openssh-server
Amazon Linux 2023 repository                                                                         51 MB/s |  25 MB     00:00
Amazon Linux 2023 Kernel Livepatch repository                                                        64 kB/s |  11 kB     00:00
Installed Packages
openssh-server.x86_64                                         8.7p1-8.amzn2023.0.11                                          @System

To double-check, I then tried a PoC for regreSSHion on this test instance, and it failed (though I didn't try any tuning to help it succeed).

noizwaves commented 4 months ago

Hey @DrJosh9000 , many thanks for following up on this and providing the extra details. I'm able to confirm this on our hosts as well.

Additionally, running the suggested mitigation (dnf update openssh --releasever 2023.5.20240701) is a noop:

$ sudo dnf update openssh --releasever 2023.5.20240701
Amazon Linux 2023 repository                                                                                52 MB/s |  25 MB     00:00
Last metadata expiration check: 0:00:05 ago on Thu Jul 25 15:35:38 2024.
Dependencies resolved.
Nothing to do.
Complete!

noizwaves commented 4 months ago

Closing out this ticket as the vulnerability has been addressed. Thanks again @DrJosh9000 !