wally.nl Posted November 8, 2023 Share Posted November 8, 2023 I'm new to unraid but couldn't find an answer quickly searching the forum. I've scanned my new unraid build with outpost24 and it found one critical issue (CVE 2023-38408) which could be fixed by updating sshd. Usually something like this would be fixed with a simple yum or apt update but although it's fairly easy and straightforward to update the docker containers on unraid I can't find how to update the unraid OS packages. Vulnerability Information: The PKCS#11 feature in ssh-agent in OpenSSH has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. Solution: Upgrade to version 9.4 or later of OpenSSH. Category: Update Product: OpenSSH CVE: CVE-2023-38408 Bugtraq: No bugtraq Quote Link to comment
itimpi Posted November 8, 2023 Share Posted November 8, 2023 There is no standard way to safely update packages as Unraid is meant to be treated as an 'appliance'. Installing a package that has not been validated by Limetech risks breaking the system so normally you need to wait for Limetech to release a new Unraid release that includes the patches. If you can find a self-contained version of the package with no dependencies that is compatible with the Slackware base underlying Unraid you can put it into the 'extras' folder on the flash drive and it then gets installed as part of the Unraid boot process, but you do this at your own risk. Having said all that you should not need to as the release notes for the 12.4 release contain openssh: version 9.3p2 (CVE-2023-38408) so that vulnerability should already be patched. Quote Link to comment
wally.nl Posted November 8, 2023 Author Share Posted November 8, 2023 There is something fishy going on with sshd versioning anyway. ssh -v <my_nas> shows version 9.3: debug1: Remote protocol version 2.0, remote software version OpenSSH_9.3 debug1: compat_banner: match: OpenSSH_9.3 pat OpenSSH* compat 0x04000000 on unraid ssh -V shows the same 9.3 version: # sshd -V OpenSSH_9.3, OpenSSL 1.1.1v 1 Aug 2023 but using an unknown parameter displays the patched version? # sshd -v unknown option -- v OpenSSH_9.3p2, OpenSSL 1.1.1v 1 Aug 2023 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.