https://nvd.nist.gov/vuln/detail/CVE-2024-6387
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt#
It takes work to exploit it but it’s rated 8.1 and can be used for remote code execution.
So you might want to turn off SSH Access until the patch lands.
The vulnerability has only been shown on 32 bit systems so far. 64 bit systems are next to be investigated but the Qualys people do say this will be harder due to the stronger ALSR.
Unless you are accessing ssh directly via the Internet rather than via OpenVPN or IPSec, then any attack source will be coming from your Lan network.
The simplest would be to turn off the sshd daemon when it is not being used, as on 32 bit systems the attacker needs to be making connections to the sshd server for around 6 to 8 hours. On 64 bit systems that time will be longer due to the stronger ALSR.
I will be submitting a patch for the latest version, which will end up in CU187.
Wonderful. Thank you submitting the patch. I have disabled sshd on my ipfire box for the time being just to be extra careful.
https://ubuntu.com/security/CVE-2024-6387
Per OpenSSH adding 1 line to sshd_conf
LoginGraceTime 0
is enough to mitigate the CVE
on a 32 bit machine it can take 6-8 hours for the attack to work to gain Remote root access.
The attack works by repeating failed auth of a connection of more than 5 times. I woke up to this and after some investigation it appears that you can add other options to sshd to prevent the failed connection and ban them, such as application fail2ban with other Linux distros.
atm the default in ipfire is logingracetime 30s
so console/terminal/ssh into the box and edit the sshd_conf file at:
/etc/ssh/sshd_conf
#LoginGraceTime 30s
LoginGraceTime 0
and save and restart ssh if you need to keep using it.