Nasty regreSSHion bug in OpenSSH

[Ice Tea]

Nasty regreSSHion bug affects around 700K Linux systems

Full system takeovers on the cards, for those with enough patience to pull it off

www.theregister.com

Ubuntu has updated versions here, and NixOS has also been busy over the past few hours – users can go here, at least.

Check your distro for updates – there will probably be some.

 

[kindai]

Nasty indeed.

Fortunately of all my customer servers only a handful needed patching. But those ones were behind IP restricted firewalls.

 

[Throrik]

Fortunately no internet facing SSH for me, but will be patching nonetheless.

 

[Scott C]

So definitely one to patch but some mitigating factors at least are...

• There doesn't appear to be a working exploit against a 64bit OS (yet...)
• Attacker has to know the specific OS that is running
• Can take up to 8 hours and as many as 10,000 attempts

So unless you're desperately unlucky even a vulnerable version with any kind of reasonable session or rate-limiting in place should offer you fair protection against this

 

[LostCorpse]

and all those IOT devices that wont get patched.
Door Access / Building Management System / Cameras / Enviromental monitors / meeting room equipment to name but a few items.

 

[Scott C]

and all those IOT devices that wont get patched.
Door Access / Building Management System / Cameras / Enviromental monitors / meeting room equipment to name but a few items.

And there's probably a frightening number of them remotely accessible :/