Good morning. Has anyone documented any responses to vulnerability concerns with OpenSSH 8.3p1 CVEs for HostOS?
We have a customer security group that has flagged our devices due to this version and I am trying to work up a response outside of pushing for a new HostOS release with an updated OpenSSH.
Hello @wd-fusus
Thanks for your request, can you please share with us what your hostOS version and device-type is?
In general, updating to the latest available hostOs mitigates security concerns.
Best Regards
Harald
Was there any update here? I note even versions as recent as 6.2.0rev1 are vulnerable to (have not yet checked versions newer than my current device):
$ sshd -V
OpenSSH_8.9p1, OpenSSL 3.0.15 3 Sep 2024
Hi @dash , unfortunately it is not as straighforward as checking against the version listed in the OS. BalenaOS is built on top of yocto and in most current device types is built from Yocto Kirkstone LTS release. The yocto community continually backports fixes for all of these CVEs into versions, hence the OpenSSH version you see in your OS has the suffix p1 indicating it is patched. That openSSH version is built from a recipe file something like: openssh_8.9p1.bb « openssh « recipes-connectivity « meta - poky - Poky Build Tool and Metadata and in there you can see a section which includes the various CVE patches that are added on top of the version:
...
file://0001-upstream-include-destination-constraints-for-smartca.patch \
file://CVE-2023-38408-0001.patch \
file://CVE-2023-38408-0002.patch \
file://CVE-2023-38408-0003.patch \
file://CVE-2023-38408-0004.patch \
file://fix-authorized-principals-command.patch \
file://CVE-2023-48795.patch \
file://CVE-2023-51384.patch \
file://CVE-2023-51385.patch \
file://CVE-2024-6387.patch \
file://CVE-2025-26465.patch \
...
So it is likely that most of the known CVEs are patched in the latest version of the OS for your device type. @dash could you let us know your device type (and OS version) you are using and we can verify that for you?
We are working on some product features to better communicate this type of thing to customers because the standard CVE scanner tools only check versions which is not sufficient for yocto builds unfortunately.
Hi @shaunmulligan1 appreciate the detailed response.
CVE-2024-6387 and CVE-2024-39894 were originally flagged to me via a CVE scanner that a network admin has run against it. I am not sure what tool specifically but will try and find out.
The device in question is running balenaOS v4.0.23 (intel-nuc).
And the sshd version I am getting on this device is:
$ sshd -V
OpenSSH_8.9p1, OpenSSL 3.0.11 19 Sep 2023
This would suggest it has been patched however the OS version v4.0.23 OS appears to be older than the CVE’s publication and the above commit which is confusing/making me think that SSHD is patched so some CVEs previously but not these specific ones?
I am working on how to upgrade the host os version as I have done previous by it seems hostapp-update command does not work beyond balenaOS v2.99.
Hi @dash , good question. The patch versioning here obscures quite a bit of detail, but yes if the balenaOS v4.0.23 that you are running on was released before the publication date of the CVEs, then you can assume they are not included in the p1 update. So the recommended approach would be to update the OS to the latest. For the Intel NUC device type, the latest available is 6.5.18 and this should be patched for all the mentioned CVEs above.
Are you not able to see this new 6.5.18 version in the OS update modal? Can you show a screenshot of what you are seeing, there should be multiple OS options available to you above 4.0.23
Unfortunately this is an openBalena device for which only manual updates were once possible by using SSH and the script hostapp-update. I am struggling to find a way to update this device to at least get the SSH CVE’s patched.
Have a posted on this topic here: balenaOS Hostupdate >v2.99 but haven’t made much headway.
Update: Have managed to resolve this with: balenaOS Hostupdate >v2.99
Thanks for your help @shaunmulligan1 clearing my confusion about OpenSSH_8.9p1 and what is and isn’t patched.