Trust & Security

Regresshion vulnerability: Recommended actions and steps we've taken

Posted: July 2, 20247 min read

DigitalOcean is aware of a new security issue with OpenSSH (sshd) that was released yesterday under the title “regresshion” or CVE-2024-6387. This vulnerability appears to allow an attacker to gain remote root access on vulnerable Linux systems running OpenSSH. However, there are some important caveats. Notably, the exploit requires winning a race condition which can take several hours.

We are asking our customers to upgrade SSHD on their Droplets. If customers are running their own SSHD servers as part of a containerized workload (e.g., SSHD inside a Kubernetes pod) you should upgrade that service and relaunch the workload. Instructions can be found below for how to update SSHD on Dropets.

The table below lists the Security Notices published for each DigitalOcean provided distribution:

Distribution Security Notice
Ubuntu https://ubuntu.com/security/notices/USN-6859-1
Debian https://security-tracker.debian.org/tracker/CVE-2024-6387
CentOS RHEL9 is impacted and we believe CentOS9 is also impacted as detailed here: https://access.redhat.com/security/cve/cve-2024-6387. A patch was made avaialable for RHEL9 on July 3, 2024. The alternative mitigation suggestions there should only be implemented with a strong understanding of implications.
AlmaLinux https://almalinux.org/blog/2024-07-01-almalinux-9-cve-2024-6387/
RockyLinux https://rockylinux.org/news/2024-07-01-rocky-linux-9-cve-2024-6378-regression
Fedora https://packages.fedoraproject.org/pkgs/openssh/openssh-server/

As part of our shared responsibility model, we are taking several actions in response to this vulnerability, which are outlined below.

DigitalOcean Products

Product Status Instructions
App Platform Not Affected No action needed
Container Registry Not Affected No action needed
Droplet Affected Customer needs to upgrade openssh-server and openssh-client. Instructions below. DigitalOcean has patched Droplet Base Images for new deployments
Functions Not Affected No action needed
Kubernetes Affected Port 22 is disabled on cluster nodes by default, but customers may have enabled it. Customers can apply a cluster upgrade or wait for their regular maintenance window which will apply the patch.
Load Balancers Not Affected No action needed
Managed Databases Affected DigitalOcean has patched
Monitoring Not Affected No action needed
Networking Not Affected No action needed
Spaces Not Affected No action needed
Spaces CDN Not Affected No action needed
Volumes Not Affected No action needed
VPC Not Affected No action needed

Additionally, DigitalOcean is taking action to ensure the version of OpenSSH used across its internal environment is patched.

Action for Droplets

Customer managed Droplets

Ubuntu and Debian

Interactive commands:

sudo apt update
sudo apt install --only-upgrade openssh-server openssh-client

Non-interactive commands:

sudo apt update
sudo env DEBIAN_FRONTEND=noninteractive apt install --only-upgrade -y openssh-server openssh-client

Note:

  1. This command will only update OpenSSH server, client, and sftp.

  2. The interactive commands will require user input on how to handle the sshd_config (keep old, compare old to new, install new, etc.).

  3. The non-interactive commands will install the update and keep the existing sshd_config.

  4. The --only-upgrade flag will only install the package if the package has been previously installed. This is a safety check.

It is always a good idea to update your entire system but please be aware that this may introduce potential breaking issues.

CentOS, Fedora, Rocky Linux, AlmaLinux

sudo yum update openssh-server
sudo yum update openssh-clients

Share

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!Sign up

Related Articles

DigitalOcean and HIPAA: Enabling Healthcare Innovation on our Platform
trust-security

DigitalOcean and HIPAA: Enabling Healthcare Innovation on our Platform

Manager, Trust and Governance

July 1, 20242 min read

Announcing the Public Launch of DigitalOcean’s Paid Bug Bounty Program
trust-security

Announcing the Public Launch of DigitalOcean’s Paid Bug Bounty Program

Senior Manager, Product Security

April 5, 20244 min read

Fine-Grained RBAC For GitHub Action Workflows With GitHub OIDC and HashiCorp Vault
trust-security

Fine-Grained RBAC For GitHub Action Workflows With GitHub OIDC and HashiCorp Vault

Senior Manager, Product Security

February 3, 202328 min read