Regresshion vulnerability: Recommended actions and steps we've taken
DigitalOcean is aware of a new security issue with OpenSSH (sshd) that was released yesterday under the title “regresshion” or CVE-2024-6387. This vulnerability appears to allow an attacker to gain remote root access on vulnerable Linux systems running OpenSSH. However, there are some important caveats. Notably, the exploit requires winning a race condition which can take several hours.
We are asking our customers to upgrade SSHD on their Droplets. If customers are running their own SSHD servers as part of a containerized workload (e.g., SSHD inside a Kubernetes pod) you should upgrade that service and relaunch the workload. Instructions can be found below for how to update SSHD on Dropets.
The table below lists the Security Notices published for each DigitalOcean provided distribution:
| Distribution | Security Notice |
|---|---|
| Ubuntu | https://ubuntu.com/security/notices/USN-6859-1 |
| Debian | https://security-tracker.debian.org/tracker/CVE-2024-6387 |
| CentOS | RHEL9 is impacted and we believe CentOS9 is also impacted as detailed here: https://access.redhat.com/security/cve/cve-2024-6387. No patch is available yet and the mitigation suggestions here should only be implemented with a strong understanding of implications. |
| AlmaLinux | https://almalinux.org/blog/2024-07-01-almalinux-9-cve-2024-6387/ |
| RockyLinux | https://rockylinux.org/news/2024-07-01-rocky-linux-9-cve-2024-6378-regression |
| Fedora | https://packages.fedoraproject.org/pkgs/openssh/openssh-server/ |
As part of our shared responsibility model, we are taking several actions in response to this vulnerability, which are outlined below.
DigitalOcean Products
| Product | Status | Instructions |
|---|---|---|
| App Platform | Not Affected | No action needed |
| Container Registry | Not Affected | No action needed |
| Droplet | Affected | Customer needs to upgrade openssh-server and openssh-client. Instructions below. DigitalOcean will patch Droplet Base Images for new deployments |
| Functions | Not Affected | No action needed |
| Kubernetes | Affected | Port 22 is disabled on cluster nodes by default, but customers may have enabled it. Customers can apply a cluster upgrade or wait for their regular maintenance window which will apply the patch. |
| Load Balancers | Not Affected | No action needed |
| Managed Databases | Affected | DigitalOcean will patch |
| Monitoring | Not Affected | No action needed |
| Networking | Not Affected | No action needed |
| Spaces | Not Affected | No action needed |
| Spaces CDN | Not Affected | No action needed |
| Volumes | Not Affected | No action needed |
| VPC | Not Affected | No action needed |
Additionally, DigitalOcean is taking action to ensure the version of OpenSSH used across its internal environment is patched.
Action for Droplets
Customer managed Droplets
Ubuntu and Debian
Interactive commands:
sudo apt update
sudo apt install --only-upgrade openssh-server openssh-client
Non-interactive commands:
sudo apt update
sudo env DEBIAN_FRONTEND=noninteractive apt install --only-upgrade -y openssh-server openssh-client
Note:
-
This command will only update OpenSSH server, client, and sftp.
-
The interactive commands will require user input on how to handle the sshd_config (keep old, compare old to new, install new, etc.).
-
The non-interactive commands will install the update and keep the existing sshd_config.
-
The
--only-upgradeflag will only install the package if the package has been previously installed. This is a safety check.
It is always a good idea to update your entire system but please be aware that this may introduce potential breaking issues.
CentOS, Fedora, Rocky Linux, AlmaLinux
sudo yum update openssh-server
sudo yum update openssh-clients
Related Articles
DigitalOcean and HIPAA: Enabling Healthcare Innovation on our Platform
Manager, Trust and Governance
July 1, 2024•2 min read
Announcing the Public Launch of DigitalOcean’s Paid Bug Bounty Program
Senior Manager, Product Security
April 5, 2024•4 min read
