15 Apr
2024
15 Apr
'24
3:34 p.m.
Hi,
I really have to push back on a couple of points here:
- The idea that all of the dependencies¹ of openssh are audited, let
alone well audited. Unless you know this to be the case, I think
it's very unlikely that anyone has been paying attention, because
having nobody to pay attention is the norm.
- That this is somehow a systemd issue. All of the code in every .so
below can do stuff as root inside the address space of the sshd
process.
What makes sshd different is that it's run almost everywhere (hugely
attractive target) and it's often exposed to the whole Internet
(hugely attractive target) and a lot of it runs as root.
No matter how much anyone hates systemd, this class of problem does
not go away by refusing to use systemd. Systemd had already made
changes to avoid it needing to be linked to sshd, before any of this
stuff happened - this may have been a reason why the attackers
accelerated their efforts to get this deployed.
Thanks,
Andy
¹ $ ldd /usr/sbin/sshd
linux-vdso.so.1 (0x00007ffe34a98000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f7fc73b2000)
libwrap.so.0 => /lib/x86_64-linux-gnu/libwrap.so.0 (0x00007f7fc73a6000)
libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007f7fc7375000)
libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007f7fc7363000)
libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0 (0x00007f7fc7293000)
libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f7fc7263000)
libgssapi_krb5.so.2 => /lib/x86_64-linux-gnu/libgssapi_krb5.so.2
(0x00007f7fc7211000)
libkrb5.so.3 => /lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007f7fc7137000)
libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007f7fc7131000)
libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007f7fc6c00000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f7fc7112000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f7fc6a1f000)
libnsl.so.2 => /lib/x86_64-linux-gnu/libnsl.so.2 (0x00007f7fc70f5000)
libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007f7fc70ed000)
libcap.so.2 => /lib/x86_64-linux-gnu/libcap.so.2 (0x00007f7fc70e1000)
libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 (0x00007f7fc68d8000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f7fc70b2000)
libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007f7fc681c000)
liblz4.so.1 => /lib/x86_64-linux-gnu/liblz4.so.1 (0x00007f7fc708a000)
/lib64/ld-linux-x86-64.so.2 (0x00007f7fc7545000)
libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007f7fc6782000)
libk5crypto.so.3 => /lib/x86_64-linux-gnu/libk5crypto.so.3
(0x00007f7fc6755000)
libkrb5support.so.0 => /lib/x86_64-linux-gnu/libkrb5support.so.0
(0x00007f7fc6747000)
libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1
(0x00007f7fc6740000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f7fc672f000)
libtirpc.so.3 => /lib/x86_64-linux-gnu/libtirpc.so.3 (0x00007f7fc6701000)
libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0
(0x00007f7fc66d9000)
On Sun, Apr 14, 2024 at 07:44:20PM +1000, Kamal Shaker via BitFolk Users wrote:
Agree with Chris and Iain, OpenSSH is reasonably well
audited, along with
its dependencies, it’s just the link with systemd that causes this issue. I
haven’t used
Xen for about ten years, does it use systemd?
If it does can you remove the link to stop future attacks so start it with
an init script?
Kamal
--
https://bitfolk.com/ -- No-nonsense VPS hosting