1

Google is stating, that the system image cos-101-17162-463-55 is not vulnerable to the security vulnerability CVE-2024-6387 but they don't say why.

I'm confused as I've installed cos-101-17162-463-55:

> cat /etc/os-release
NAME="Container-Optimized OS"
ID=cos
PRETTY_NAME="Container-Optimized OS from Google"
HOME_URL="https://cloud.google.com/container-optimized-os/docs"
BUG_REPORT_URL="https://cloud.google.com/container-optimized-os/docs/resources/support-policy#contact_us"
GOOGLE_METRICS_PRODUCT_ID=26
GOOGLE_CRASH_ID=Lakitu
KERNEL_COMMIT_ID=d650d6e37bc746134b41f3f34a31d4af7d875438
VERSION=101
VERSION_ID=101
BUILD_ID=17162.463.55

But OpenSSH is still on one of the vulnerable versions:

> ssh -V
OpenSSH_8.5p1, OpenSSL 1.1.1v  1 Aug 2023

https://www.openssh.com/txt/release-9.8

says versions 8.5p1 - 9.7p1 are affected.

Did they just apply another patch to fix this without updating ssh?

I checked grep 'LoginGraceTime' /etc/ssh/sshd_config which is a patch suggested by Google but it seems that it's not applied.

Improve this question
1
  • I applied the LoginGraceTime = 0 workaround manually, just in case, but am still confused if the system update should have updated ssh to version 9.8 or not.
    – hb0
    Commented Jul 4 at 13:16

1 Answer 1

Reset to default
1

This is indeed very confusing.

My head spins reading this blog post from Qualys, but if you are using cos-101-17162-463-55 you should be fine.

My assumption is that if cos-101-17162-463-55 is fully patched, it contains a back port of whatever patch exists for OpenSSH 8.5p1 that mitigates this vulnerability.

The thing with OS provided packages is they often retain the same version number but silently backport packages. Strict version numbers are confusingly relevant only for direct source code installs.

This page of official release notes from Google seems to address the issue: Container-Optimized OS Release Notes: Milestone 101.

The update for July 1, 2024 indicates these items were affected; the last item is CVE-2024-6387 which is the OpenSSH version:

  • Security: Fixed CVE-2024-38662 in the Linux kernel.
  • Changed: Runtime sysctl changes:
    • Added: net.ipv4.tcp_rto_min_us: 200000
  • Security: Fixed CVE-2024-6387 in net-misc/openssh.

In general, I would trust Google’s advice is regardless of indicated OpenSSH version; as counter intuitive as that might seem.

Update: Thanks to a comment, I now know there is a Python tool that can be used to scan hosts for this OpenSSH flaw.

Improve this answer
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .