Security bulletins

From time to time, we might release security bulletins related to Bare Metal Solution. All security bulletins for Bare Metal Solution are described here.

Use this XML feed to subscribe to security bulletins for this page.

GCP-2024-040

Published: 2024-07-02

Description	Severity	Notes
A vulnerability CVE-2024-6387 was discovered in OpenSSH server (sshd). This vulnerability is exploitable remotely on glibc-based linux systems: an unauthenticated remote code execution as root, because it affects sshd's privileged code, which is not sandboxed and runs with full privileges. At the time of publication, exploitation is believed to be difficult–requiring winning a race condition, which is hard to successfully exploit and may take several hours per machine being attacked. Bare Metal Solution impact Based on our investigations, we are not aware of any exploitation attempts on existing Google managed Bare Metal Solution infrastructure. What should I do? We recommend updating to the safe OpenSSH version 9.8p1 once it is released, or applying sshd patches once provided by OS vendors. We also recommend disabling/removing vulnerable OpenSSH server wherever it is not required. Setup firewall rules to restrict access to SSH servers from trusted network endpoints. Monitor for any unusual network activity involving SSH servers.	Critical	CVE-2024-6387

Description

Severity

Notes

A vulnerability CVE-2024-6387 was discovered in OpenSSH server (sshd). This vulnerability is exploitable remotely on glibc-based linux systems: an unauthenticated remote code execution as root, because it affects sshd's privileged code, which is not sandboxed and runs with full privileges.

At the time of publication, exploitation is believed to be difficult–requiring winning a race condition, which is hard to successfully exploit and may take several hours per machine being attacked.

Bare Metal Solution impact

Based on our investigations, we are not aware of any exploitation attempts on existing Google managed Bare Metal Solution infrastructure.

What should I do?

We recommend updating to the safe OpenSSH version 9.8p1 once it is released, or applying sshd patches once provided by OS vendors.
We also recommend disabling/removing vulnerable OpenSSH server wherever it is not required.
Setup firewall rules to restrict access to SSH servers from trusted network endpoints.
Monitor for any unusual network activity involving SSH servers.

Critical

CVE-2024-6387