The regreSSHion Bug

petre.tudor · July 6, 2024, 2:51pm

Hi everyone,

I would like to ask the community some advice about regreSSHion.

regreSSHion, CVE-2024-6387, is an unauthenticated remote code execution in OpenSSH’s server (sshd) that grants full root access. It affects the default configuration and does not require user interaction. It poses a significant exploit risk.

I am running the latest updates:

* Core 2024.7.1
* Supervisor 2024.06.2
* Operating System 12.4
* Frontend 20240705.0

and the openSSH is still not yet patched:

[core-ssh ~]$ sshd -V                                                                                                                                                                                                                                              
OpenSSH_9.6p1, OpenSSL 3.1.4 24 Oct 2023

I see that someone opened an issue to address it: Sshd Regresshion vulnerability · Issue #3460 · home-assistant/operating-system · GitHub

Is this, in fact an issue for HA? How big of an issue is it?
Is there anything that users can do to mitigate this issue until we get an OS update?

Thanks

tom_l · July 7, 2024, 2:25am

The vulnerability occurs during an SSH authentication attempt.

So it is only an issue if you are exposing the SSH service to the internet, or are likely to have malicious actors on your local network.

petre.tudor · July 7, 2024, 9:31am

@sairon took the time to reply with all the details to the git issue and close it:

HAOS only uses Dropbear for its developer SSH access at port 22222, OpenSSH package is not enabled there.

If your HA install exposes OpenSSH at any other port, it’s likely through the Terminal/SSH add-on. Thankfully, it’s most likely not vulnerable as well, because CVE-2024-6387 only targets glibc-based Linux distribution. Standard HA add-on base image is built from Alpine Linux, which uses the musl C standard library, which is not affected by the bug.

Thanks