How to determine if I need to patch for recent SSH exploit on Ubuntu 20.04?

Question

OpenSSH version:

OpenSSH_8.2p1 Ubuntu-4ubuntu0.11, OpenSSL 1.1.1f  31 Mar 2020

According to this Aualys blog post, that version is not affected by the SSH bug.

I noticed the SSL version looked old - March 2020. I ran apt-get update and then checked:

apt-cache policy openssl
openssl:
  Installed: 1.1.1f-1ubuntu2.22
  Candidate: 1.1.1f-1ubuntu2.22
  Version table:
 *** 1.1.1f-1ubuntu2.22 500
        500 http://mirrors.linode.com/ubuntu focal-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1f-1ubuntu2 500
        500 http://mirrors.linode.com/ubuntu focal/main amd64 Packages

I'm confused about why it has an installed version the same as a canidate.

I found this other blog post, which is still listed as 1.1.1f.

I'm confused about what I need to update to be secure?

If only there was a script which could detect if you were likely vulerability or not. — Ramhound, Commented Jul 2 at 20:54
Only newer builds of OpenSSH are vulnerable to CVE-2024-6387 since you are NOT using a current version of OpenSSH you are not vulnerable. — Ramhound, Commented Jul 2 at 20:58
@user10841084108 - The vulnerability is an OpenSSH vulnerability. OpenSSL isn’t vulnerable to an regreSSHion. Why are you worried about OpenSSL? — Ramhound, Commented Jul 2 at 23:04

Ramhound · Accepted Answer · 2024-07-03 13:40:40Z

I'm confused about what I need to update to be secure.

You should update to Ubuntu 24.04 LTS then of course patch OpenSSH to 9.8p1.

A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges.

You are only vulnerable to CVE-2024-6387 if you are running OpenSSH 8.5p1 through 9.7p1 (incisive). So you are already secure against the vulnerability you are asking about. OpenSSH 4.4p1 up to, but not including, 8.5p1 are not vulerable.

Source: https://www.openssh.com/txt/release-9.8

RegreSSHion was introduced in a very recent code update and is a considered regression of a previous bug that was fixed. As I attempt to point out, you have a version from before the vulnerability was reintroduced, and after it was originally patched. OpenSSH 8.1p1 is not vulnerable to RegreSSHion that does not mean it's not vulnerable to other vulnerabilities that were recently patched. Which is the reason I suggest upgrading to the current LTS release

Can you put a link to the documentation how to patch it to 9.8p1? — Eugen Konkov, Commented Jul 10 at 18:02

Stack Exchange Network

How to determine if I need to patch for recent SSH exploit on Ubuntu 20.04?

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
ubuntu
security
openssh
openssl
.

Linked

Hot Network Questions

How to determine if I need to patch for recent SSH exploit on Ubuntu 20.04?

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged ubuntusecurityopensshopenssl.

Linked

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
ubuntu
security
openssh
openssl
.