IT Colleagues,
The maintainers of OpenSSH released updates today to fix a critical security flaw in Secure Shell (SSH). Upon exploitation, a remote, unauthenticated attacker could execute code with root privileges. This is commonly known as a Remote Code Execution (RCE) vulnerability.
The vulnerability affects the default configuration of SSH between versions 8.5p1 and 9.7p1 and versions prior to 4.4p1 if not patched for CVE-2006-5051 and CVE-2008-4109. Systems running SSH on OpenBSD are not affected.
At the time of writing, proof-of-concept (PoC) exploit code has been developed for 32-bit glibc-based Linux systems. The OpenSSH maintainers have not yet successfully developed exploit code for 64-bit systems but believe they are equally vulnerable. Common memory-safety mitigations, such as Address Space Layout Randomization (ASLR), do not mitigate this vulnerability.
The University Information Security Office (UISO) recommends that you immediately check your systems to determine if they are vulnerable. Vulnerable systems should be patched as soon as possible. If patching cannot be implemented within two business days, immediately contact the UISO to discuss mitigation strategies.
Attackers will seek to weaponize this vulnerability in short order. As always, we appreciate your ongoing vigilance in protecting IU.
If you have questions, please contact the UISO at uiso@iu.edu.
–IT Community Partnerships on behalf of the University Information Security Office