CVE-2024-6387: Remote Unauthenticated Code Execution Vulnerability in OpenSSH Server #4379
Comments
|
Is there a possible quick workaround to just update openssh on the OS level and restart just the |
|
There's a mitigation mentioned here; change |
|
I like the following ARG query to see all AKS versions and node versions across all clusters in all subscriptions.
|
|
Can also disable SSH on all AKS nodes: https://learn.microsoft.com/en-us/azure/aks/manage-ssh-node-access?tabs=node-shell#disable-ssh-overview |
|
@miwithro do you have any more details on the timeline when the new image will roll out to the regions? |
|
it seems 202407.01.0 has been removed! So will there be another image?
|
|
Any progress on this? |
|
@riccalioliojr @qaiserali @mehdikops @Egoorbis @gohmc @MikeWedderburn-Clarke we updated the fixed VHD to 202407.03.0 which is now being rolled out to all regions and will be in every region within 3 weeks. If customers need to mitigate now, they should just disable SSH on there cluster too, which was called out above. |
|
@miwithro is this affecting Azure Linux images as well? |
|
tried disabling ssh using disable SSH but no luck. One of the ways is to upgrade the openssh library using https://learn.microsoft.com/en-us/azure/aks/node-access#connect-using-kubectl-debug and then running sudo apt update && sudo apt install openssh-server on the node. |
|
@gurcharan100292 - can you expand on 'tried disabling ssh using disable SSH but no luck'. can you share if you ran into any issues? if yes, repro steps and what issue was observed? |
|
@gurcharan100292 which region/s are your cluster/s in? You can track the rollout of 202407.03.0 which has the fix https://releases.aks.azure.com/webpage/index.html#tabversion |
|
202407.03.0 has been deployed to all Azure regions. |
The website seems to have a problem. The latest I can see is |
|
shashankbarsin miwithro even after disabling the ssh on AKS nodes, the vulnerability still exists. I think the 202407.03.0 version is out now so will try updating the nodes now. |
|
202407.03.0 has fixed the vulnerability for us, thank you! |
Thanks for the info. I'm not sure how you're testing for the vulnerability, but it's important to note that the vuln is IN SSH. So, once you disable SSH on the node, it is no longer susceptible to being exploited. |
|
Ubuntu Fix has been applied to AKS images. SSH Fixed file names openssh-client/jammy-updates,jammy-security,now 1:8.9p1-3ubuntu0.10 amd64 [installed,automatic] Fix is present on:
UBUNTU Changelog
AKS IMAGES INCLUDING THE UBUNTU FIX To grant the nodes are using an image containing the fix update to the latest available node image version Additional References |
It was discovered that OpenSSH incorrectly handled signal management. A remote attacker could use this issue to bypass authentication and remotely access systems without proper credentials.
https://ubuntu.com/security/CVE-2024-6387
AKS Information
Upgrade your Ubuntu node image to 202407.03.0 which is finalizing the global rollout to all Azure regions around 7/19/2024.
Upgrade your Azure Linux node image to 202407.08.0 which will begin rolling out globally to all Azure regions the week of 7/15/2024.
Windows is not vulnerable to this specific CVE.
The text was updated successfully, but these errors were encountered: