[LINUX] Serious vulnerability fixed with OpenSSH 9.8

[Paweł.]

OpenSSH 9.8 has been released, fixing an ugly vulnerability:

Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon.

Exploitation on non-glibc systems is conceivable but has not been examined.

There is a configuration workaround for systems that cannot be updated, though it has its own problems. See this Qualys advisory for more details.

Przeczytaj cały wpis