OpenSSH Remote Unauthenticated Code Execution Vulnerability (regreSSHion) in Harbor OVA VM
Article ID: 376848
Updated On:
Products
Issue/Introduction
To fix the CVE CVE-2024-6387 in Photon OS we need to upgrade openssh version to 8.9p1-8.ph4.
Cause
CVE identified on harbor OVA deployment.
Resolution
Harbor 2.9.1 has openssh version 8.9p1-4.ph4 installed:
=======
root@harbor [ ~ ]# yum list installed | grep openssh
openssh-clients.x86_64 8.9p1-4.ph4 @System
openssh-server.x86_64 8.9p1-4.ph4 @System
root@harbor [ ~ ]# cat /etc/lsb-release
DISTRIB_ID="VMware Photon OS"
DISTRIB_RELEASE="4.0"
DISTRIB_CODENAME=Photon
DISTRIB_DESCRIPTION="VMware Photon OS 4.0"
=======It has the latest version 8.9p1-8.ph4 available
=======
root@harbor [ ~ ]# yum list available | grep openssh
openssh.x86_64 8.4p1-2.ph4 photon-release
openssh-clients.x86_64 8.4p1-2.ph4 photon-release
openssh-server.x86_64 8.4p1-2.ph4 photon-release
openssh.x86_64 8.9p1-8.ph4 photon-updates
openssh-clients.x86_64 8.9p1-8.ph4 photon-updates
openssh-server.x86_64 8.9p1-8.ph4 photon-updates
openssh-socket.x86_64 8.9p1-8.ph4 photon-updates
=======For Airgapped environments, we can download the 8.9p1-8.ph4 rpms manually from https://packages.vmware.com/photon/4.0/photon_updates_4.0_x86_64/x86_64/ from a machine that has internet access
wget https://packages.vmware.com/photon/4.0/photon_updates_4.0_x86_64/x86_64/openssh-server-8.9p1-8.ph4.x86_64.rpm https://packages.vmware.com/photon/4.0/photon_updates_4.0_x86_64/x86_64/openssh-clients-8.9p1-8.ph4.x86_64.rpm
Once the rpm is downloaded you can copy those to the Harbor OVA VM and then install using the below command:
=======
tdnf install openssh-server-8.9p1-8.ph4.x86_64.rpm openssh-clients-8.9p1-8.ph4.x86_64.rpm --nogpgcheck
Upgrading:
openssh-clients x86_64 8.9p1-8.ph4 @cmdline 4.84M 5073733
openssh-server x86_64 8.9p1-8.ph4 @cmdline 1.14M 1196403
Total installed size: 5.98M 6270136
Is this ok [y/N]: y
Downloading:
Testing transaction
Running transaction
Installing/Updating: openssh-clients-8.9p1-8.ph4.x86_64
Installing/Updating: openssh-server-8.9p1-8.ph4.x86_64
Removing: openssh-server-8.9p1-4.ph4.x86_64
Warning: The unit file, source configuration file or drop-ins of sshd.service changed on disk. Run 'systemctl daemon-reload' to reload units.
Failed to try-restart sshd.socket: Unit sshd.socket not found.
Warning: The unit file, source configuration file or drop-ins of sshd-keygen.service changed on disk. Run 'systemctl daemon-reload' to reload units.
Removing: openssh-clients-8.9p1-4.ph4.x86_64
Complete!
=======After this we need to reload the systemd daemon, restart sshd service and then make sure the new version of openssh is installed.
=======
root@harbor [ ~/openssh_newversion ]# systemctl daemon-reload
root@harbor [ ~/openssh_newversion ]# systemctl restart sshd
root@harbor [ ~/openssh_newversion ]# systemctl status sshd
● sshd.service - OpenSSH Daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2024-09-05 02:23:10 UTC; 3s ago
Main PID: 2739640 (sshd)
Tasks: 1 (limit: 9511)
Memory: 1.1M
CGroup: /system.slice/sshd.service
└─2739640 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
Sep 05 02:23:10 harbor.DOMAIN.com systemd[1]: Started OpenSSH Daemon.
Sep 05 02:23:10 harbor.DOMAIN.com sshd[2739640]: Server listening on 0.0.0.0 port 22.
Sep 05 02:23:10 harbor.DOMAIN.com sshd[2739640]: Server listening on :: port 22.
root@harbor [ ~/openssh_newversion ]# yum list installed | grep openssh
openssh-clients.x86_64 8.9p1-8.ph4 @System
openssh-server.x86_64 8.9p1-8.ph4 @System
=======Feedback
