CVE-2024-6387 :: Should I be worried?

Another SSH back-door

If you run a public-facing ssh server and haven’t checked the version you’re running, then maybe mildly concerned so long as you’re now going and checking the version. Then maybe panic a little if it’s not a good version.

What is it?

This one is a little easier to understand than the previous SSH exploit, and it seems to be a bug (a regression at that) rather than something deliberately nefarious.

The issue seems to be the way in which SSH interacts with the SYSLOG system during the login process. At first glance it looks like this might only be an issue for setups with username / password authentication (which IMO is a really bad idea anyway). That said, I’ve not looked but if it involved interrupting the login process and waiting for a timeout, this might also be possible with key based authentication.

Which distro’s are at risk?

Well, it looks like everything apart from BSD … although by now there should be updates out for most main-stream distro’s. I’ve updated Debian and Ubuntu boxes, all of which seemed to have fixes available and now show fixed versions.

How to I check?

Well the easy answer is just update any at-risk system. To double check, you need to refer to your distro’s security updates. For quick reference;

For anyone deeply interested in the background, you can get a full technical breakdown from Qualys;

https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt#