人在機場準備要回台灣,在 Hacker News 上看到「RegreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems (qualys.com)」這個整個被抽醒,Qualys 的 security advisory 在這:「regreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems (CVE-2024-6387)」。
剛剛看 Ubuntu 套件已經更新了,請儘快更新...
OpenSSH 官方的「release-9.8」內有提到這是 race condition 造成的問題,在 32-bit 的 lab 環境上面大約六到八小時可以打進去,64-bit 環境理論上應該也是可行的,但時間還沒有被驗證:
Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon.
在 security advisory 裡面有提到更細節的部分,解釋了 race condition 的攻擊對象,以及為什麼 OpenBSD 沒中獎:
This vulnerability is exploitable remotely on glibc-based Linux systems, where syslog() itself calls async-signal-unsafe functions (for example, malloc() and free()): an unauthenticated remote code execution as root, because it affects sshd's privileged code, which is not sandboxed and runs with full privileges. We have not investigated any other libc or operating system; but OpenBSD is notably not vulnerable, because its SIGALRM handler calls syslog_r(), an async-signal-safer version of syslog() that was invented by OpenBSD in 2001.
這幾天應該會有更多測試出來,另外 Hacker News 上有人提到上個月 OpenSSH 打算內建阻擋系統的事情,有在猜測跟這個 security advisory 有關?(參考「OpenSSH 要內建阻擋系統了」)...
Anyway,後續可以再研究看看,但現在先趕緊把手上機器更新一輪比較要緊...