OpenSSH 9.8 resolves critical rce vulnerability

  • OpenSSH resolves a critical vulnerability (CVE-2024-6387)that enables remote code execution. The vulnerability affects versions 8.5p1 through 9.7p1. As LibreELEC 12.0 uses OpenSSH version "OpenSSH_9.7p1, OpenSSL 3.2.1 30 Jan 2024" can it be updated? If not, in the meantime, you can mitigate the vulnerability by assigning the value 0 to LoginGraceTime in /etc/ssh/sshd_config. This causes a temporary denial-of-service that prevents code execution.

  • We do consider security issues, and the probabilty of a meaningfull exploit in the wild through LE devices is low. The attacker needs to be in the same network and most LE boxes are hidden behind NAT/firewalls, and if the attacker is already in the local network the HTPC isn't the target of interest and you have bigger things to worry about. In the past I've added some LE devices to instrumented honeypot networks alongside some well prepared deception assets. Most attackers shy away from the devices because they don't fingerprint as something known and recognised. The subset who did try to compromise the LE device generally succeeded with a dictionary attack on the well-known default password not vulnerability exploits, and then they all tried to drop a comprise toolkit into the OS, which fails massively due to our non-standard distro packaging, and they quickly gave up and moved onto other more promising targets in the environment. Plus, even if we rush out a release and push the update to the small percentage of devices that would receive it, the other 90% of our rather sizeable userbase will remain on something older with even more vulnerabilities. In the grand scheme of things and compared to the shenanigans that I see in my DFIR day-job, this is nothing to lose sleep over.