https://blog.vyos.io VyOS Platform Project news and updates All about development and project life in our blog en Thu, 24 Oct 2024 09:17:37 GMT 2024-10-24T09:17:37Z en https://blog.vyos.io/remote-code-execution-in-listening-zabbix-agent-cve-2023-32728 <div class="hs-featured-image-wrapper"> <a href="https://blog.vyos.io/remote-code-execution-in-listening-zabbix-agent-cve-2023-32728" title="" class="hs-featured-image-link"> <img src="https://blog.vyos.io/hubfs/Remote%20code%20execution%20in%20listening%20Zabbix%20agent%20(CVE-2023-32728).png" alt="zabbix cve" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p>Hello, Community!</p> <p>Our community member Fabian Riechsteiner <a href="https://vyos.dev/T6776">brought to our attention</a> that the version of the Zabbix agent present in VyOS 1.4.0 is susceptible to a remote code execution vulnerability — <a href="https://support.zabbix.com/browse/ZBX-23858">CVE-2023-32728</a>. We made a hotfix available to subscribers, and the fix will be a part of the upcoming VyOS 1.4.1 release.</p> <div class="hs-featured-image-wrapper"> <a href="https://blog.vyos.io/remote-code-execution-in-listening-zabbix-agent-cve-2023-32728" title="" class="hs-featured-image-link"> <img src="https://blog.vyos.io/hubfs/Remote%20code%20execution%20in%20listening%20Zabbix%20agent%20(CVE-2023-32728).png" alt="zabbix cve" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p>Hello, Community!</p> <p>Our community member Fabian Riechsteiner <a href="https://vyos.dev/T6776">brought to our attention</a> that the version of the Zabbix agent present in VyOS 1.4.0 is susceptible to a remote code execution vulnerability — <a href="https://support.zabbix.com/browse/ZBX-23858">CVE-2023-32728</a>. We made a hotfix available to subscribers, and the fix will be a part of the upcoming VyOS 1.4.1 release.</p> <img src="https://track.hubspot.com/__ptq.gif?a=4129050&amp;k=14&amp;r=https%3A%2F%2Fblog.vyos.io%2Fremote-code-execution-in-listening-zabbix-agent-cve-2023-32728&amp;bu=https%253A%252F%252Fblog.vyos.io&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> security 1.4 vulnerability Thu, 24 Oct 2024 09:17:37 GMT daniil@sentrium.io (Daniil Baturin) https://blog.vyos.io/remote-code-execution-in-listening-zabbix-agent-cve-2023-32728 2024-10-24T09:17:37Z https://blog.vyos.io/cve-2024-6387-regresshion <div class="hs-featured-image-wrapper"> <a href="https://blog.vyos.io/cve-2024-6387-regresshion" title="" class="hs-featured-image-link"> <img src="https://blog.vyos.io/hubfs/CVE-2024-6387.png" alt="CVE-2024-6387: remote code execution in OpenSSH server" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p>Hello, Community!</p> <p>Today Qualys's security team has disclosed a remotely exploitable vulnerability in OpenSSH server. It was assigned CVE-2024-6387 number and nicknamed "regreSSHion" because its cause is an accidental removal of code that fixed a much earlier vulnerability back in 2006. It affects OpenSSH versions older than 4.4p1 and versions between 8.5p1 and 9.8p1. VyOS 1.3.8 includes OpenSSH 7.9p1 and thus isn't vulnerable. VyOS 1.4.0 includes 9.2p1 and will need a patch to remain secure.</p> <div class="hs-featured-image-wrapper"> <a href="https://blog.vyos.io/cve-2024-6387-regresshion" title="" class="hs-featured-image-link"> <img src="https://blog.vyos.io/hubfs/CVE-2024-6387.png" alt="CVE-2024-6387: remote code execution in OpenSSH server" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p>Hello, Community!</p> <p>Today Qualys's security team has disclosed a remotely exploitable vulnerability in OpenSSH server. It was assigned CVE-2024-6387 number and nicknamed "regreSSHion" because its cause is an accidental removal of code that fixed a much earlier vulnerability back in 2006. It affects OpenSSH versions older than 4.4p1 and versions between 8.5p1 and 9.8p1. VyOS 1.3.8 includes OpenSSH 7.9p1 and thus isn't vulnerable. VyOS 1.4.0 includes 9.2p1 and will need a patch to remain secure.</p> <img src="https://track.hubspot.com/__ptq.gif?a=4129050&amp;k=14&amp;r=https%3A%2F%2Fblog.vyos.io%2Fcve-2024-6387-regresshion&amp;bu=https%253A%252F%252Fblog.vyos.io&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> security announcement vulnerability Mon, 01 Jul 2024 10:24:00 GMT daniil@sentrium.io (Daniil Baturin) https://blog.vyos.io/cve-2024-6387-regresshion 2024-07-01T10:24:00Z https://blog.vyos.io/zenbleed-and-the-ssh-agent-vulnerability <div class="hs-featured-image-wrapper"> <a href="https://blog.vyos.io/zenbleed-and-the-ssh-agent-vulnerability" title="" class="hs-featured-image-link"> <img src="https://blog.vyos.io/hubfs/Zenbleed%20and%20OpenSSH%20agent%20vulnerabilities%20and%20their%20Impact%20on%20VyOS.png" alt="Zenbleed" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p>Hello, Community!</p> <p>Recently, two severe vulnerabilities were discovered by security researchers. One of them is nicknamed Zenbleed (<a href="https://nvd.nist.gov/vuln/detail/CVE-2023-20593">CVE-2023-20593</a>) and affects a number of AMD CPUs, the other one (<a href="https://nvd.nist.gov/vuln/detail/CVE-2023-38408">CVE-2023-38408</a>) affects OpenSSH. Both are potentially very serious but, luckily, don't affect most VyOS users. We will include fixes for them in our next releases, of course, and we can provide hotfix packages to people who need them now.</p> <div class="hs-featured-image-wrapper"> <a href="https://blog.vyos.io/zenbleed-and-the-ssh-agent-vulnerability" title="" class="hs-featured-image-link"> <img src="https://blog.vyos.io/hubfs/Zenbleed%20and%20OpenSSH%20agent%20vulnerabilities%20and%20their%20Impact%20on%20VyOS.png" alt="Zenbleed" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p>Hello, Community!</p> <p>Recently, two severe vulnerabilities were discovered by security researchers. One of them is nicknamed Zenbleed (<a href="https://nvd.nist.gov/vuln/detail/CVE-2023-20593">CVE-2023-20593</a>) and affects a number of AMD CPUs, the other one (<a href="https://nvd.nist.gov/vuln/detail/CVE-2023-38408">CVE-2023-38408</a>) affects OpenSSH. Both are potentially very serious but, luckily, don't affect most VyOS users. We will include fixes for them in our next releases, of course, and we can provide hotfix packages to people who need them now.</p> <img src="https://track.hubspot.com/__ptq.gif?a=4129050&amp;k=14&amp;r=https%3A%2F%2Fblog.vyos.io%2Fzenbleed-and-the-ssh-agent-vulnerability&amp;bu=https%253A%252F%252Fblog.vyos.io&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> security vyos vulnerability Thu, 27 Jul 2023 10:16:51 GMT daniil@sentrium.io (Daniil Baturin) https://blog.vyos.io/zenbleed-and-the-ssh-agent-vulnerability 2023-07-27T10:16:51Z https://blog.vyos.io/cve-2022-3786-vyos-not-vulnerable <div class="hs-featured-image-wrapper"> <a href="https://blog.vyos.io/cve-2022-3786-vyos-not-vulnerable" title="" class="hs-featured-image-link"> <img src="https://blog.vyos.io/hubfs/Recent%20OpenSSL.png" alt="openssl" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p>Many people are concerned about recently announced OpenSSL vulnerabilities (<a href="https://cve.circl.lu/cve/CVE-2022-3786">CVE-2022-3786</a> and <a href="https://cve.circl.lu/cve/CVE-2022-3602">CVE-2022-3602</a>). However, none of the VyOS versions ever released are vulnerable. Those vulnerabilities affect only OpenSSL version <span style="font-weight: bold;">3.0.x</span>, while VyOS uses <span style="font-weight: bold;">1.1.1n</span> in the 1.3.x LTS line and in the nightly builds of the upcoming 1.4 release,&nbsp; and that version is not vulnerable.</p> <div class="hs-featured-image-wrapper"> <a href="https://blog.vyos.io/cve-2022-3786-vyos-not-vulnerable" title="" class="hs-featured-image-link"> <img src="https://blog.vyos.io/hubfs/Recent%20OpenSSL.png" alt="openssl" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p>Many people are concerned about recently announced OpenSSL vulnerabilities (<a href="https://cve.circl.lu/cve/CVE-2022-3786">CVE-2022-3786</a> and <a href="https://cve.circl.lu/cve/CVE-2022-3602">CVE-2022-3602</a>). However, none of the VyOS versions ever released are vulnerable. Those vulnerabilities affect only OpenSSL version <span style="font-weight: bold;">3.0.x</span>, while VyOS uses <span style="font-weight: bold;">1.1.1n</span> in the 1.3.x LTS line and in the nightly builds of the upcoming 1.4 release,&nbsp; and that version is not vulnerable.</p> <img src="https://track.hubspot.com/__ptq.gif?a=4129050&amp;k=14&amp;r=https%3A%2F%2Fblog.vyos.io%2Fcve-2022-3786-vyos-not-vulnerable&amp;bu=https%253A%252F%252Fblog.vyos.io&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> security vyos openssl vulnerability Thu, 03 Nov 2022 13:50:29 GMT daniil@sentrium.io (Daniil Baturin) https://blog.vyos.io/cve-2022-3786-vyos-not-vulnerable 2022-11-03T13:50:29Z