Apart from waiting for Apple to release a patch for this. Can I ask what other mitigations people are doing or thinking about doing for this recent issue?
Question
CVE-2024-6387 - Openssh vulnerability
+4
+26We have pretty hard core adopted zero trust, there is no direct peer to peer access between workstations. About 2 years ago I disabled SSH on our Macs, which did close quite a few vulnerabilities with how lackadaisically Apple likes to patch SSH.
+22Well I'm not worrying 1 bit about it because it looks like it may only be possible on 32bit systems and only really affects Debian based linux systems.
+22Well I'm not worrying 1 bit about it because it looks like it may only be possible on 32bit systems and only really affects Debian based linux systems.
+10Our security team pinged us on this. I opened a ticket with Apple Enterprise Support and received the below response....pretty standard response from Apple. From what I understand this vulnerability only impacts Glibc-based “Debian” Linux operating systems. Apple may not ever provide a specific update to address this if the CVE does not actually impact macOS.
________________________________
Thanks for reaching out to AppleCare Enterprise Support Engineering for assistance today. I understand that you have questions about CVE-2024-6387 and if it affects macOS/iOS.
To protect our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. Because of that, I cannot say how and when a resolution will be delivered. Until then, you can monitor security updates from our Product Security team as outlined on the Apple Product Security page: https://www.apple.com/support/security/
The fastest way to hear about software updates for security issues is via Apple’s public security-announce list. If you are not on that list I highly recommend it. You can get information about this list here:
+26Our security team pinged us on this. I opened a ticket with Apple Enterprise Support and received the below response....pretty standard response from Apple. From what I understand this vulnerability only impacts Glibc-based “Debian” Linux operating systems. Apple may not ever provide a specific update to address this if the CVE does not actually impact macOS.
________________________________
Thanks for reaching out to AppleCare Enterprise Support Engineering for assistance today. I understand that you have questions about CVE-2024-6387 and if it affects macOS/iOS.
To protect our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. Because of that, I cannot say how and when a resolution will be delivered. Until then, you can monitor security updates from our Product Security team as outlined on the Apple Product Security page: https://www.apple.com/support/security/
The fastest way to hear about software updates for security issues is via Apple’s public security-announce list. If you are not on that list I highly recommend it. You can get information about this list here:
I think apple should adjust this auto reply. We got pretty much the same thing on the databreach last week.
To protect our shareholders, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available....
+18Not that it mattered, but i wrote an EA to check for SSH being enabled, and if it is, then i turn it off https://www.alansiu.net/2020/09/02/scripting-ssh-off-on-without-needing-a-pppc-tcc-profile/ to make security happier.
+17Not that it mattered, but i wrote an EA to check for SSH being enabled, and if it is, then i turn it off https://www.alansiu.net/2020/09/02/scripting-ssh-off-on-without-needing-a-pppc-tcc-profile/ to make security happier.
not seeing the EA on that link?
+1update it with what? you'd need to wait for Apple to provide an update right?
I have the newest version of openSSH and used Home Brew to install it on my Mac. I am on 14.5 and was running SSH_9.7. Home Brew worked to install 9.8. I was looking to push this out to our fleet in Jamf due to security seeing anything 9.7 and lower a vulnerability.
+22I have the newest version of openSSH and used Home Brew to install it on my Mac. I am on 14.5 and was running SSH_9.7. Home Brew worked to install 9.8. I was looking to push this out to our fleet in Jamf due to security seeing anything 9.7 and lower a vulnerability.
That doesn’t patch the Apple provided version of ssh. That just installs a second copy that now you have to maintain, configure, and update.
+1That doesn’t patch the Apple provided version of ssh. That just installs a second copy that now you have to maintain, configure, and update.
Ah, thanks for the insight.
+23A little late to this, but doesn't jamf use SSH to communicate/install software?
+22A little late to this, but doesn't jamf use SSH to communicate/install software?
No.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.