Remote Unauthenticated Code Execution Vulnerability in OpenSSH server - CVE-2024-6387

loffovy · 12 July 2024 20:41

Hi Guys,

In short, couple of days critical SSHd vulnerability has been annouced: CVE-2024-6387.

It allows ** Remote Unauthenticated Code Execution Vulnerability** - or in other word, if any bad actor can access your ssh port, without any authentication can run anything on your system - read take over all of your data.

This brings critical question to Devs:
What are chances to get new build of Coreelec with patched version of sshd? I’d bet that some of the systems have sshd exposed to internet and those are most likely unaware of the issue.

More on this subject is i.e. here:

Currently latest version shows this as ssh version (vulnerable):
Remote protocol version 2.0, remote software version OpenSSH_9.7

Thanks!

vpeter · 13 July 2024 06:59

Already in nightly: openssh: update to 9.8p1

CE 21.1 will be made when Kodi will be ready with this version.

loffovy · 13 July 2024 08:58

Thanks! I’d suggest, that this type of urgent and critical issue would prompt to push out “stable” release that would in effect prompt upgrade for majority if not all installations. Otherwise, all the people sitting on stable, will stay vulnerable being completely unconscious of the issue.

vpeter · 13 July 2024 09:10

Whoever exposes CE/LE on Internet must understand what he is doing. And if open to whole world even without using firewall rules … and maybe using default password too

As written, new version will be pushed when new version of Kodi will be available. No more discussion needed regarding this issue.