CVE-2024-7589 :: regreSSHion type vulnerability in FreeBSD.

Advisory:
https://www.freebsd.org/security/advisories/FreeBSD-SA-24:08.openssh.asc

#PatchNOW
#FreeBSD
#Linux
#regreSSHion
#Vulnerability
#cybersecurity
#ComputerSecurity
#hacked
#Cyberattack
#infosec
#informationsecurity
#CyberSecurityAwareness
#DataBreach

regreSSHion | @bsdbcr @Tubsta

Listen now: bsdnow.tv/568

#regreSSHion vulnerability, Improving and debugging #FreeBSDs Intel wifi support, FreeBSD adds an implementation of the 9P filesystem, FreeBSD Zero to Desktop Speedrun Challenge, and more
#BSD #SSH

While updating my personal #netbsd server to patch #regresshion, I updated all my installed packages, which broke #php, which broke apache.

So I shaved all those #yaks and discovered that my CMS (#textpattern) was years out of date, and not compatible with modern PHP. And my self-written tagging plugin would require changes, if I upgraded.

So <big sigh of relief> I am finally rid of PHP, Apache, and MySQL on that server! That feels really good. (Even if I'm sad my old content is gone.)

So I just read on @dcuthbert 's ( not that active on Masto - so @[email protected] for sauce) writeup on the #regresshion #poc backdoor ( https://bird.makeup/users/dcuthbert/statuses/1811327974513295432)

While they point out they would have used LKM to hide processes better, I just ran into something I didn't consider in hiding processes, PID namespaces !

Edit 1(disclaimer, I'm ignorant): This is a half baked thought process, and I haven't tested out this theory.. Might be a foot in mouth moment!

This idea courtesy of #synology 's distro with their NAS (maybe their router software too).

My Synology runs their "ContainerManager" package which is just docker. In the ContainerManager, I am running jellyfin and gitea.

My usual experience in seeing what containers are running from a system defaults PoV from the shell I can run ps auxw or ps -eLf and I will expect to see the processes running from docker. I've attached a screenshot of docker in arch running jellyfin.

There's also a screenshot of jellfyin running in Synology's 'locked down OS'. You can see its running, because docker ps -a tells us so.

Heck from a system point of view, you can't even see docker/containerd running like you can from other Linux distros. Whats going on?

Namespaces!

Its not just for containers, available on enabled Linux kernels everywhere!

Check out @b0rk most excellent intro and writeup on it if you're not familiar. [https://jvns.ca/blog/2016/10/10/what-even-is-a-container/]

Can you turn off namespaces on servers not meant to run containers? I believe you can restrict them with sysctl calls but I'm unsure of modern day distros for server use need them.

So do you trust your vuln management sytems to help you know whats actually running on systems anymore? ;)

Edit 2:
if you want to see what Synology is doing and don't have a Synology device you can run their distro in a virtual machine. I don't know if you can really trust this or not, but I've used it in the past. Use at your own risk.

The Redpill pre-install and Recovery environment.
[https://github.com/RROrg/rr]

Synology DSM
[https://archive.synology.com/download/Os/DSM]

#infosec #containers #docker #linux #security