CVE-2024-6387 - Openssh vulnerability

aburrow007
New Contributor II

Apart from waiting for Apple to release a patch for this.  Can I ask what other mitigations people are doing or thinking about doing for this recent issue?

14 REPLIES 14

AJPinto
Honored Contributor III

We have pretty hard core adopted zero trust, there is no direct peer to peer access between workstations. About 2 years ago I disabled SSH on our Macs, which did close quite a few vulnerabilities with how lackadaisically Apple likes to patch SSH.

boberito
Valued Contributor

Well I'm not worrying 1 bit about it because it looks like it may only be possible on 32bit systems and only really affects Debian based linux systems. 

boberito
Valued Contributor

scottlep
Contributor II

Our security team pinged us on this. I opened a ticket with Apple Enterprise Support and received the below response....pretty standard response from Apple. From what I understand this vulnerability only impacts Glibc-based “Debian” Linux operating systems. Apple may not ever provide a specific update to address this if the CVE does not actually impact macOS.

________________________________

Thanks for reaching out to AppleCare Enterprise Support Engineering for assistance today. I understand that you have questions about CVE-2024-6387 and if it affects macOS/iOS.

To protect our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. Because of that, I cannot say how and when a resolution will be delivered. Until then, you can monitor security updates from our Product Security team as outlined on the Apple Product Security page: https://www.apple.com/support/security/

The fastest way to hear about software updates for security issues is via Apple’s public security-announce list. If you are not on that list I highly recommend it. You can get information about this list here:

https://lists.apple.com/mailman/listinfo/security-announce

AJPinto
Honored Contributor III

I think apple should adjust this auto reply. We got pretty much the same thing on the databreach last week. 

To protect our shareholders, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available....

 


 

nessts
Valued Contributor II

Not that it mattered, but i wrote an EA to check for SSH being enabled, and if it is, then i turn it off https://www.alansiu.net/2020/09/02/scripting-ssh-off-on-without-needing-a-pppc-tcc-profile/ to make security happier.

jamf-42
Valued Contributor II

not seeing the EA on that link? 

bozerw
New Contributor

Has anyone developed a script to push from Jamf Pro to update openSSH?  

nessts
Valued Contributor II

update it with what? you'd need to wait for Apple to provide an update right?

bozerw
New Contributor

I have the newest version of openSSH and used Home Brew to install it on my Mac. I am on 14.5 and was running SSH_9.7.  Home Brew worked to install 9.8.  I was looking to push this out to our fleet in Jamf due to security seeing anything 9.7 and lower a vulnerability.  

boberito
Valued Contributor

That doesn’t patch the Apple provided version of ssh. That just installs a second copy that now you have to maintain, configure, and update. 

Ah, thanks for the insight. 

ImAMacGuy
Valued Contributor II

A little late to this, but doesn't jamf use SSH to communicate/install software?

 

 

 

boberito
Valued Contributor

No.