search

burmilla / os

Tiny Linux distro that runs the entire OS as Docker containers
https://burmillaos.org
Apache License 2.0
210 stars 13 forks source link

CVE-2024-6387 - OpenSSH vulnerability #181

Closed skobkars closed 2 months ago

skobkars commented 2 months ago

BurmillaOS Version: any (all versions are vulnerable, currently using v2.0.1 and v1.9.3)

Where are you running BurmillaOS? GCE

Which processor architecture you are using? x86_64

Do you use some extra hardware? (GPU, etc)? No

Which console you use (default, ubuntu, centos, etc..) default

Do you use some service(s) which are not enabled by default? No

Have you installed some extra tools to console? No

Do you use some other customizations? No

Please share copy of your cloud-init (remember remove all sensitive data first): IRRELEVANT

All versions of Burmilla are using OpenSSH_8.6p1, which is vulnerable under CVE-2024-6387, and Google sends out notifications related to all my Burmilla OS instances.

Can we please either upgrade to 9.8p1 or later or to downgrade to 4.4p1 up to, but not including, 8.5p1, which are listed as not affected: https://www.qualys.com/regresshion-cve-2024-6387/

Thank you,

olljanat commented 2 months ago

All versions of Burmilla are using OpenSSH_8.6p1

@skobkars From where you got that version?

v2.0.1 console is based on Debian Bullseye https://github.com/burmilla/os/blob/v2.0.1/images/02-console/Dockerfile#L1 which why SSH version is OpenSSH_8.4p1 Debian-5+deb11u3

rancher@burmilla:~$ dpkg -l openssh-server
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version           Architecture Description
+++-==============-=================-============-=================================================================
ii  openssh-server 1:8.4p1-5+deb11u3 amd64        secure shell (SSH) server, for secure access from remote machines

rancher@burmilla:~$ sudo sshd --version
OpenSSH_8.4p1 Debian-5+deb11u3, OpenSSL 1.1.1w  11 Sep 2023

v1.9.3 console is based on Debian Buster https://github.com/burmilla/os/blob/v1.9.3/images/02-console/Dockerfile#L1 which why SSH version is 7.9p1-10+deb10u4

Can we please either upgrade to 9.8p1 or later or to downgrade to 4.4p1 up to, but not including, 8.5p1, which are listed as not affected: https://www.qualys.com/regresshion-cve-2024-6387/

Based on that site This regression was introduced in October 2020 (OpenSSH 8.5p1). so BurmillaOS shouldn't be affected by this.

skobkars commented 2 months ago

Hmm... You are right @olljanat

It was my mistake. sorry. I first looked at the OpenSSH server version on my Burmilla servers and did see the 7.9p1, but then ran ssh -vvv command and it reported OpenSSH_8.6p1, which was in fact my client's version, not the server's.

Please ignore the request.