CVE-2024-6387 — regreSSHion
On the 1st of July, 2024, CVE-2024-6387 was announced, also known as regreSSHion.
On a theoretical level, this looks like it has the potential to affect a lot of systems.
Impact to LiquidFiles
Does this impact LiquidFiles — Not Really.
There's a few reasons LiquidFiles is not really impacted. The first is that the attack will take way to long to actually perform. Initial reports suggest that to exploit a system, an attacked would need to conduct continous attacks for 6-8h on a 32 bit system. So far, no one has successfully attacked a 64 bit system. The increased memory space in 64 bit vs 32 bit systems would make an attack take exponentially longer. Both LiquidFiles v3.x and v4.x uses 64 bit operating systems.
The second reason LiquidFiles is not really vulnerable is because OpenSSH is only used for SSH Admin access on port 222. On a properly configured system, this should only be exposed to your admin network. Feel free to restrict access to port 222 as needed in your network.
When will this be fixed
It already is.
LiquidFiles v4.x
Ubuntu has released an
update. If you have
Automatic Updates enabled as recommended
and on default, your system is already updated. If you have updated your system after the 4th of
July, 2024, your system is already updated. If you don't have automatic updates enabled, you can
manually update your LiquidFiles v4.x system by running:
apt update && apt upgrade openssh-client openssh-server
LiquidFiles v3.x and v2.x
CentOS 7 (LiquidFiles v3.x) and CentOS 6 (LiquidFiles v2.x) is not affected.