Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please confirm which versions (if any) are vulnerable to CVE-2024-6387 #2249

Open
camerondm9 opened this issue Jul 3, 2024 · 14 comments
Open

Comments

@camerondm9
Copy link

camerondm9 commented Jul 3, 2024

Request for information

CVE-2024-6387 (stylized as regreSSHion) is a Remote Unauthenticated Code Execution vulnerability in sshd in glibc-based Linux systems, discovered by Qualys.

What I want to know: Is OpenSSH for Windows vulnerable?

I don't see any changes that line up with Qualys's disclosure timeline, and the version number that I get when I do a fresh install via Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 is 8.6.0.1 (which falls within the vulnerable range, according to what I'm seeing).

@alex180500
Copy link

Is there any update? why is ssh on windows so behind...

@ebenhoehdaniel
Copy link

ebenhoehdaniel commented Jul 4, 2024

We have Windows Server 2019 and 2022 and need the information if the OpenSSH-Feature is vulnerable, too.
All very old SSH-Server - Microsoft, have you forgotten your Secure Future Initiative (SFI):
https://www.microsoft.com/en-us/microsoft-cloud/resources/built-in-security

https://www.microsoft.com/en-us/security/blog/2024/05/03/security-above-all-else-expanding-microsofts-secure-future-initiative/

@GossiTheDog
Copy link

Confirming the latest Windows 11 release is vulnerable version:

image

@foxt
Copy link

foxt commented Jul 4, 2024

https://www.qualys.com/regresshion-cve-2024-6387/

discovered this unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems.

Windows is neither Linux or glibc-based so I assume it's not relevant?

@FrancoisSSC
Copy link

Does this vulnerability affect macOS or Windows?
While it is likely that the vulnerability exists in both macOS and Windows, its exploitability on these platforms remains uncertain. Further analysis is required to determine the specific impact.

https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

@GossiTheDog
Copy link

https://www.qualys.com/regresshion-cve-2024-6387/

discovered this unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems.

Windows is neither Linux or glibc-based so I assume it's not relevant?

FreeBSD is neither Linux or glibc based, but they patched it.

@NoMoreFood
Copy link

Based on my topical analysis and general knowledge of how signal handling is done in this fork, I do not believe this vulnerability is relevant to this fork.

@Gautam-deepak
Copy link

Is there any update on this ? Please confirm..

@KingWAR10CK
Copy link

Any updates?

@JeanPluzo
Copy link

Thanks for the different insights everyone!
Still, it would be nice to hear from MS themselves. "Assuming" is not the right way to go in the IT industry.

@DomDupuis
Copy link

Any updates Microsoft?

@shertaeg
Copy link

@tgauth can you give any insights on this? Is Win32_OpenSSH vulnerable or not?
I understand all community-answers, but as I guess thousands of others am waiting for some sort of official statement.

come on, Microsoft, you can do better than that. It's been very frustraing in the last months.

@FrancoisSSC
Copy link

I sent an email to [email protected] earlier today, and this is their official statement:

PowerShell/Announcements#63
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-6387

You can all sleep well now! :)

@tgauth
Copy link
Collaborator

tgauth commented Jul 12, 2024

Apologies for the delay in responding - please see the announcement mentioned above for guidance. PowerShell/Announcements#63

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests