drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mangelnde Rechteprüfung in OpenSSH
Name: |
Mangelnde Rechteprüfung in OpenSSH |
|
ID: |
202407-09 |
|
Distribution: |
Gentoo |
|
Plattformen: |
Keine Angabe |
|
Datum: |
Mo, 1. Juli 2024, 22:47 |
|
Referenzen: |
https://nvd.nist.gov/vuln/detail/CVE-2024-6387 |
|
Applikationen: |
OpenSSH |
|
Originalnachricht |
--===============0741247588835886028== Content-Type: text/plain; charset="utf-8"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High Title: OpenSSH: Remote Code Execution Date: July 01, 2024 Bugs: #935271 ID: 202407-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis ========
A vulnerability has been discovered in OpenSSH, which can lead to remote code execution with root privileges.
Background ==========
OpenSSH is a free application suite consisting of server and clients that replace tools like telnet, rlogin, rcp and ftp with more secure versions offering additional functionality.
Affected packages =================
Package Vulnerable Unaffected ---------------- ------------ ------------ net-misc/openssh < 9.7_p1-r6 >= 9.7_p1-r6
Description ===========
A vulnerability has been discovered in OpenSSH. Please review the CVE identifier referenced below for details.
Impact ======
A critical vulnerability in sshd(8) was present in Portable OpenSSH versions that may allow arbitrary code execution with root privileges.
Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon.
Workaround ==========
There is no known workaround at this time.
Note that Gentoo has backported the fix to the following versions:
net-misc/openssh-9.6_p1-r5 net-misc/openssh-9.7_p1-r6
Resolution ==========
All OpenSSH users should upgrade to the latest version and restart the sshd server (to ensure access for new sessions and no vulnerable code keeps running).
# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openssh-9.7_p1-r6"
With OpenRC: # rc-service sshd restart
With systemD: # systemctl try-restart sshd.service
References ==========
[ 1 ] CVE-2024-6387 https://nvd.nist.gov/vuln/detail/CVE-2024-6387
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202407-09
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License =======
Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5 --===============0741247588835886028== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmaC8CgACgkQFMQkOaVy +9ks8w/+Jv7wq04hnzh8/aF/8wfqVyJ5gX2WUSTdoC5C1DvwVwCVKYlu9x/3rs8K j5QSfDw0tX40iPHFbaCysCrR+DCBak6dOCL0ONLDVFr8zjsvN151i7hAHOsrsHFh MQxcdjRzx9TDmGCrl+6dG1WvVEoMw7ZnQ9LYRiyEL7S20rC+xfafKLRHAY/t83vY fibrIEubGUjWvcAM4vto0QusKQ/BBt2GquszTzDogZ3yLVM/kXUovY/ymo5qsI0A PuGf6XoWCiQPbGQMw/Lw2dAhGKPe00+kZ0XEWK8MZZNyjgkzBQSNj1Cf/ro/NoEz BVMoTgGG8lNYAuxLPrRSlXTfOtF9+li6p80ALsxnMg5yuK47qtb3sphbqrKigOTP 40R7lisR3pv42BcrRlxjgUjEIZIbAQ4yeBTIkh64969mWxRhoxeKKV5BCr/56CLL BGRefxYk8FrFxWPHmbxjpoRyz5jBXh2dvo+ctZISPF8+b8SDn+qLqE6hwLCCW184 bmrTlaF9l6wCOSB/sevrODZbo8vjjijKtl71elV2BPGlQmPJ6zacc3JdkcGbduzu mJsR5+tVOG6q2UtfSWG/SvUPYxcTSKi/Fv8RkDg6RaRnyoDUniI0FLDzQFvhnVvI QzHYypZSo4MJDTv+y+cVRL9VBPdNuvKf846fzw4bxRLdyGBEMnA= =jrKO -----END PGP SIGNATURE-----
--===============0741247588835886028==--
|
|
|
|