The regreSSHion Bug

An Unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) on glibc-based Linux systems.

What is regreSShion?

regreSSHion, CVE-2024-6387, is an unauthenticated remote code execution in OpenSSH’s server (sshd) that grants full root access. It affects the default configuration and does not require user interaction. It poses a significant exploit risk.

regreSSHion background

The Qualys Threat Research Unit (TRU) discovered this unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems. This bug marks the first OpenSSH vulnerability in nearly two decades—an unauthenticated RCE that grants full root access. It affects the default configuration and does not require user interaction, posing a significant exploit risk.

In Qualys TRU’s analysis, we identified that this vulnerability is a regression of the previously patched vulnerability CVE-2006-5051, reported in 2006. A regression in this context means that a flaw, once fixed, has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue. This incident highlights the crucial role of thorough regression testing to prevent the reintroduction of known vulnerabilities into the environment. This regression was introduced in October 2020 (OpenSSH 8.5p1).

Why was it named regreSSHion?

The vulnerability is named “regreSSHion” because it references its nature as a regression bug affecting OpenSSH.

About OpenSSH?

OpenSSH is a suite of secure networking utilities based on the SSH protocol that are essential for secure communication over unsecured networks. It provides robust encryption, secure file transfers, and remote server management. OpenSSH is widely used on Unix-like systems, including macOS and Linux, and it supports various encryption technologies and enforces robust access controls. Despite a recent vulnerability, OpenSSH maintains a strong security record, exemplifying a defense-in-depth approach and a critical tool for maintaining network communication confidentiality and integrity worldwide.

Affected OpenSSH versions

• OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
• Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.
• The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.

The regreSSHion Bug

An Unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) on glibc-based Linux systems.

What is regreSShion?

regreSSHion, CVE-2024-6387, is an unauthenticated remote code execution in OpenSSH’s server (sshd) that grants full root access. It affects the default configuration and does not require user interaction. It poses a significant exploit risk.

regreSSHion background

The Qualys Threat Research Unit (TRU) discovered this unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems. This bug marks the first OpenSSH vulnerability in nearly two decades—an unauthenticated RCE that grants full root access. It affects the default configuration and does not require user interaction, posing a significant exploit risk.

In Qualys TRU’s analysis, we identified that this vulnerability is a regression of the previously patched vulnerability CVE-2006-5051, reported in 2006. A regression in this context means that a flaw, once fixed, has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue. This incident highlights the crucial role of thorough regression testing to prevent the reintroduction of known vulnerabilities into the environment. This regression was introduced in October 2020 (OpenSSH 8.5p1).

Why was it named regreSSHion?

The vulnerability is named “regreSSHion” because it references its nature as a regression bug affecting OpenSSH.

About OpenSSH?

OpenSSH is a suite of secure networking utilities based on the SSH protocol that are essential for secure communication over unsecured networks. It provides robust encryption, secure file transfers, and remote server management. OpenSSH is widely used on Unix-like systems, including macOS and Linux, and it supports various encryption technologies and enforces robust access controls. Despite a recent vulnerability, OpenSSH maintains a strong security record, exemplifying a defense-in-depth approach and a critical tool for maintaining network communication confidentiality and integrity worldwide.

Affected OpenSSH versions

• OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
• Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.
• The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.

Source: https://www.qualys.com/regresshion-cve-2024-6387/

Hello everyone,

I'm excited to share some updates about JustDeploy, an open source project I've been working on to simplify the deployment process for developers. For those who are not familiar, JustDeploy is an alternative to platforms like Vercel and Heroku, but it focuses on deploying Dockerfiles directly to your own server, giving you more control over your deployments.

What's New?

1. Connect Your Server with Just an IP: We've made it even simpler to connect your server. Now, you can connect a server using just its IP address, streamlining the setup process.
2. Improved User Experience (UX): We've listened to your feedback and have made significant improvements to the UX, making JustDeploy more intuitive and easier to use.

JustDeploy handles server connection, Docker installation, and secure certificate generation, so you can deploy your application with ease. One of the coolest features is that it doesn't install anything on your server other than your application, making it an ideal choice for small servers with limited resources or development environments.

Feedback and Feature Requests

The project is still a work in progress, and I would love to get more feedback from the community. Your insights are invaluable to us, and we are eager to hear what features you'd like to see next. If you have any suggestions or run into any issues, please don't hesitate to open an issue on the GitHub repository.

Check It Out

You can learn more about JustDeploy and try it out here: JustDeploy Landing Page

Thank you for your time, and I look forward to hearing your thoughts!

My girlfriend and I will be living together soon and I'd like to use Grocy, but I'm honestly not sure if she'll be down to use it. I can especially see the value in it for when we start a family of our own.

I'm curious about people who couldn't get their families/housemates to use it and people who were able to successfully implement this in their household. Also, what are/were your setups like?

As someone who is not currently using it, I can see how it could feel like a lot of work to regularly use. I'd love to know your thoughts/stories about this. Thanks!

What are some of your favourite apps? I’ll start:

Plex and *arr suite, obviously

Actual budget (have tried it for a while but never committed to moving from YNAB until their price increase)

Vaultwarden (I’ve tested it, but still on 1password until my subscription is over)

NextCloud

i am totally new to these self hosting stuff. am planning of getting a raspberry pi and hosting 24x7 on it.

i want a website on it with very basic html linking to my socials. and another site where people can upload up to 1 mb file once a day. which will be stored in my pi temporarily.

and the other purpose is: i use multiple devices so there are some files that i always need. instead of copying those on all devices. i want to store it in my pi. and perhaps access it remotely (should ask for password)

so... is it possible to make a headless pi running 24x7? and also is 512 mb of ram enough for my use case?

I am looking for a self-hosted app with just a single, endless notepad page and an app for iOS. Or a local app that plays well with GDrive, Dropbox etc)

I know I can do the bookmark thing, but it just isn't as nice as a dedicated app. I don't want to mix it with all the other websites I open.

I already have note-taking solutions like Trilium that are useful for organizing information. But I also often write down random thoughts and stuff that don't have any particular place.

I don't want to just create a "miscellaneous" section in Trilium, because I like to keep Trilium open to notes relevant to the task I am doing, and switching back and forth between notes is distracting to me.

I want something that's like the notepad app that used to come with MacOS (maybe it still does, I haven't used a Mac lately).

Ironically, I got into the the whole knowledge manager/hierarchical notes thing because my notepad was getting huge and I could never find anything. But now that I have a satisfactory way to organize more structured information, I want a tool to record interesting bits of my stream-of-consciousness in a way that doing so is a minimal distraction from whatever I am supposed to be doing.

I'd like it to save to a plain text file for easy portability.

So in other words, I want a text/markdown editor that only ever has one document. It needs to be extremely light (as in, not an Electron app). I want to open it on any device, wherever I am, write down my distracting little thought, and then go back to whatever I was doing.

If I can change the display font and size in the app without zooming, that would be nice but not mandatory.

Is there anything like this?

I see a few things in Awesome-selfhosted like Meemo, Minimalist-web-notepad and Flatnotes, but nothing seems to be quite what I want.

PS: I know there are a million threads about note-taking apps here, but I wasn't able to find one about this specific need.

Hello, I have recently wanted to start self hosting word press. I already have a server that I host multiple things on but word press has been extra difficult to get working. I plan on reverse proxying it though a caddy server. I am running it in a docker container same for the db. So far to reach the admin screen the only way I have managed to do so is my setting up an SSH tunnel with -L and connecting through localhost on my laptop. Once in I have tried to change the site url to something like "machine-ip" instead of localhost. Once I save I can no longer connect to wordpress at all.

Upon setting up the reverese proxy any way caddy return a connection refused error.

I have no idea why changing the url to the machines IP break things. Any advice is welcome.

I followed cloudflare guide to run a command to install cloudflared, but I realize cloudflared is running as root and have a flag "--no-autoupdate".

Isn't this service dangerous if it got root access and no update? and are there additional things I have to configure to make it more secure?

Can Anybody share docker compose file with all security services included? Crowdsec, geoIP etc? ;)

Hi.

My NAS (on Debian 12) hosts a bunch of services for myself and a few friends. The services mostly run as docker containers but some directly on the OS. I could migrate to full docker.

I've got a WG VPN whose central node is the NAS. This is just for myself: for my desktop, laptop, smartphone. My ssh is exposed only on my LAN and on the VPN. I also started running my own DNS using unbound. Only the VPN clients use it and it's working great.

Except I can't use the unbound DNS for my NAS regular interface due to racing conditions during boot (e.g. I've got a custom service that retrieves decryption keys for my hard drives). I've tried playing with systemd's after/requires/etc but I never manage to get a clean boot if I want the NAS default DNS to use unbound.

So at this point and with this level of "complexity" (it's not really complex, but it's not simple anymore), I'm wondering if I should move to something like CoreOS to better compartmentise all these things?

In general, should I move my DNS server to a completely different physical device altogether?

Thank you for your advice.

I'm running a Jellyfin instance on Oracle's free arm tier via docker. This has been working great for playback unless it's processing files.

What I mean by that is, I have enabled trickplay generation, subtitle extraction, keyframe extraction, intro scanning, everything, you know. So the easy solution is to of course just turn off all those things or run it at night, but sometimes people who use it are using it at the most random hours, which is totally fine, I'm the same.

What I would like to do is run a local instance GPU accelerated to handle all the processing and just use the jellyfin server on oracle's cloud for serving the media. I can't just locally host a Jellyfin server because my upload speed isn't great, but uploading some images and metadata should be totally fine.

I don't really know if it's possible just asking if anyone has any ideas.

Hey Reddit,

what would be the best way to convert scanned documents into text and extract specific information? The problem is that the documents (e.g., invoices) are always structured differently from thousands of banks, some are digital, and some are simply scanned. I tried using Invoice2data (Open-Source on Github), but if I have to create Regex for each bank and invoice format, I'll be doing it forever. Additionally, Tesseract-OCR sometimes has issues like confusing 'o' with '0'. Is there a better solution, perhaps something that learns? The goal is to extract the key information from the invoices and put it into an XML file that can be imported elsewhere.

I have been diving into posts for days and, the more I read, the more confused (and security concerned) I am.

I have set up a server running some services such as (but not limited to) Home Assistant. I have some rules in HA that depend on my location, so my instance needs permanent connection to the HA phone app when I am away. So far, I have worked around it with Tailscale, but there are two drawbacks: 1) a permanent Tailscale connection drains out my phone battery, 2) if I activate Tailscale manually, I would need to (remember to) do every time I move in and out of my delimited zones, which is impractical.

I know other alternatives:

• VPNs: same battery issue if running a 24/7 connection, plus all my traffic being redirected which I do not need.
• Cloudflare Tunnel: many people suggesting to avoid due to the unencrypted traffic on their servers.
• Tailscale Funnel: seems like their predictable URLs and lack of other defensive resorts (unlike Cloudflare) are a potential security issue.

Are there other alternatives not necessarily involving VPS or other systems, that can expose my HA instance (and other services) while keeping HA and my network secured?

https://security-tracker.debian.org/tracker/CVE-2024-6387

As I get further into this world, I keep learning new things. Case in point, evidently some isp's routers simpl do not allow the use of custom DNS addresses. That this is a horrible abuse of power and a limitation of freedom is a topic for a different sub, but for now it raises a question...

What budget friendly device would you recommend for a home user to place behind thebisp router and take over all possible functions previous managed by the ISP router?

For my purposes I'm aiming for picking up something second hand, most likely arouters with the standard functions... 4 port ethernet switch (bonus for higher speed supported since my lan transfer speeds are mediocre), wireless AP, and... Critically... As open and customizable as possible. (Maybe even supporting openwrt or similar?)

My goal is to have my home network services end up in a place where if I move I simply plug all my gear into the new USP router which is set to passthrough mode... And everything resumes working.

Top notch gear isn't needed for such a simple use case, but I'd rather not experiment multiple times to eventually find a cheap old router that works well.

Thanks!

Hi.

I have a server at Hetzner and their storage box.

What ways can i utilize the storage box (and/or server harddrive space) so i can mount the root folder (of something) locally on windows to make it available like a NAS share (so it shows up like V:\ in computer), have it mountable/browsable on some other place like android/iphone/linux, without having to close the connection from all others.

Or do i have to use something that is more like a cloud like seafile/nextcloud(Read too much about failed and b0nked upgrades here)?

Hey r/selfhosted,

A friend recently told me that this would be a great place to share our project, R2R. The description below is pulled right off of our docs at https://r2r-docs.sciphi.ai/introduction.

R2R was designed to bridge the gap between local LLM experimentation and scalable, production-ready Retrieval-Augmented Generation (RAG). R2R provides a comprehensive and SOTA RAG system for developers, built around a RESTful API for ease of use.

​Key Features

• 📁 Multimodal Support: Ingest files ranging from .txt, .pdf, .json to .png, .mp3, and more.
• 🔍 Hybrid Search: Combine semantic and keyword search with reciprocal rank fusion for enhanced relevancy.
• 🔗 Graph RAG: Automatically extract relationships and build knowledge graphs.
• 🗂️ App Management: Efficiently manage documents and users with rich observability and analytics.
• 🌐 Client-Server: RESTful API support out of the box.
• 🧩 Configurable: Provision your application using intuitive configuration files.
• 🔌 Extensible: Develop your application further with easy builder + factory pattern.
• 🖥️ Dashboard: Use the R2R Dashboard, an open source React+Next.js app for a user-friendly interaction with R2R.

R2R can be downloaded with pip or docker and has been designed for minimal setup headaches. We have a pretty active discord and are very active on the development side, so we'd love to hear your thoughts.