There is a vulnerability for SSH. How can we upgrade current SSH version to 9.8 or higher without homebrew?
Apple has not released any updates so far this. Any help please.
MAC OS Ventura and Sonoma.
thanks
[Re-Titled by Moderator]
The only issues here are with the reporting tool, and with the response to the report.
macOS sshd is not effected, per what Qualys themselves have posted.
More generally: Please don’t immediately apply the remediation suggested by add-on anti-malware. Not without giving the detection and the remediation some consideration. Consideration whether the add-on anti-malware is correct, and consider whether the detection even matters, or if things are mis-detecting or are just busted. Busted? More than a little add-on anti-malware has (erroneously) suggested doing bad things to macOS.
Want details about this case? Ask Qualys support.
Given the following information from Qualys does not apply to your configuration, you will want to report the errant Qualys detection bug, or the errant suggestion or confusing Qualys documentation or whatever kicked over this quest, to Qualys support:
The Qualys Threat Research Unit (TRU) has discovered a Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems. CVE assigned to this vulnerability is CVE-2024-6387.
1: This isn’t Linux, and 2: macOS uses libc and not glibc.
How to back out the sshd changes might unfortunately be a project. If there are backups from prior to those changes, I might consider restoring those. Otherwise, homebrew can hopefully remove what it added.
If you want to learn about this Linux sshd bug involving glibc, here is the Qualys report:
ii_mj wrote:
I do see it but our SIEM which is Qulays is showing severe vulnerability to our MACs. That is why I raised a question here as this should only impact Linux systems but why is it showing for MACs?
https://discussions.apple.com/content/attachment/43a23861-2f4d-43f3-8669-1978a18412b1
Did you install your own OpenSSH package, maybe via Homebrew?
I've been reading the post but something just not gets into my brain.
So, I'll try to explain myself the best as I can so maybe I can receive some insight or help into this.
Frist, I'd like to tell that I have near to Zero proficiency with this.
I've received a report from Qualys as well, saying that some of the Macs I'm managing are vulnerable for this OpenSSH issue or regreSSHion. However, I've been checking and most of the devices do not even have SSH installed, in my ignorance, I tried to upgrade it (install it) using Homebrew, but all of them gets to the 9.6p1 version.
When checked on Qualys, it states that (on Linux authenticated) if a client does not authenticate at the expected time, then SIGALRM it's called but not async-signal-safe.
My devices are timing out correctly.
So, what I want to ask is:
Thank you for any help/advise, I've been facing this since last Wednesday but I'm like running in circles (maybe because I have no idea what I'm doing)
In short, OpenSSH is installed with macOS, but, by default, it's disabled.
For those devices you have with later, or different versions of OpenSSH installed by the user, then check to see which specific version it is and compare that to which versions are safe, and which are not. I posted that information just above.
How do you check which version of OpenSSH is installed? I have no idea because I've never had reason to look. And until this topic appeared, I didn't even know OpenSSH was part of the macOS install.
glibc was part of BSD Unix, which is the base Unix version macOS started with back in version 10.0. But according to what I can find, the OS doesn't use it. i.e, it's not enabled.
Kurt Lang wrote:
Just for fun, try reading the posts and links already provided in this topic. The answer is here, numerous times.
The NVD and CVE sites do not specify glibc as a dependency for the vulnerability at the time of this post:
https://www.cve.org/CVERecord?id=CVE-2024-6387
https://nvd.nist.gov/vuln/detail/CVE-2024-6387
The proof-of-concept was only achieved on a glibc-based Linux systems, but that does not mean other sshd installations are not vulnerable.
The Qualys blog post mentioned does not say that macOS is not affected. So, do you have a source for whether macOS is affected or not?
Seriously? Can you not see this in 24 point type right at the top of the article you linked to?
I do see it but our SIEM which is Qulays is showing severe vulnerability to our MACs. That is why I raised a question here as this should only impact Linux systems but why is it showing for MACs?
[removed]
etresoft wrote:
Ignore it. Doesn't apply to Macs.
source?
Just for fun, try reading the posts and links already provided in this topic. The answer is here, numerous times.
How can we upgrade current SSH version to 9.8 or higher without Homebrew on macOS Ventura?
