OpenSSH resolves a critical vulnerability (CVE-2024-6387)that enables remote code execution. The vulnerability affects versions 8.5p1 through 9.7p1. As LibreELEC 12.0 uses OpenSSH version "OpenSSH_9.7p1, OpenSSL 3.2.1 30 Jan 2024" can it be updated? If not, in the meantime, you can mitigate the vulnerability by assigning the value 0 to LoginGraceTime in /etc/ssh/sshd_config. This causes a temporary denial-of-service that prevents code execution.
OpenSSH 9.8 resolves critical rce vulnerability
-
Doemela -
July 5, 2024 at 5:57 PM -
Thread is Unresolved
-
-
Already included in nightlies. https://github.com/LibreELEC/LibreELEC.tv/pull/9048
-
Already included in nightlies. https://github.com/LibreELEC/LibreELEC.tv/pull/9048
That was an easy answer but does not solve a critical vulnerability you have in the stable releases that majority of people use. Security wise, this is a very bad policy, the worst!
-
We do consider security issues, and the probabilty of a meaningfull exploit in the wild through LE devices is low. The attacker needs to be in the same network and most LE boxes are hidden behind NAT/firewalls, and if the attacker is already in the local network the HTPC isn't the target of interest and you have bigger things to worry about. In the past I've added some LE devices to instrumented honeypot networks alongside some well prepared deception assets. Most attackers shy away from the devices because they don't fingerprint as something known and recognised. The subset who did try to compromise the LE device generally succeeded with a dictionary attack on the well-known default password not vulnerability exploits, and then they all tried to drop a comprise toolkit into the OS, which fails massively due to our non-standard distro packaging, and they quickly gave up and moved onto other more promising targets in the environment. Plus, even if we rush out a release and push the update to the small percentage of devices that would receive it, the other 90% of our rather sizeable userbase will remain on something older with even more vulnerabilities. In the grand scheme of things and compared to the shenanigans that I see in my DFIR day-job, this is nothing to lose sleep over.
-
It reminds me of this: https://www.reddit.com/r/ProgrammerHu…ferthanotheros/
Linux OSes are quite fragmented and hackers like to cast a large net by targeting the most common platforms. If you're using a debian derivative or a red hat distro with systemd, you're more likely to be targeted.