How to dispute patched CVE-2024-6387 on AlmaLinux9

If your server is being scanned by security software that software may very well tell you that you have a security vulnerability with regards to the SSHD version. Specifically it may say that your server is vulnerable to CVE-2024-6387. Here’s what we’ve done for our Brownrice SmartVPS hosting customers and how you would dispute this vulnerability if you are one of our customers.

First, none of our SmartVPS’s are vulnerable to CVE-2024-6387, we patched this on everything that was vulnerable across our systems less than a week after the vulnerability was announced and the patch was released.

You will likely have to dispute this with your security scanning vendor, as the “version” will show a lesser version than “9.8p1”, but is patched and backported for the fix.  This is due to how LTS (long term support) enterprise OS’s work, they will typically run on older stable versions of software but backport important security fixes like this.

For more details our newest SmartVPSs run on the following OS: AlmaLinux release 9.4 (Seafoam Ocelot), which is patched for this CVE and running the following OpenSSH version:

CT-bfb8f83b-a32d-41ce-8798-4bf43b06ef63 /# rpm -q openssh
openssh-8.7p1-38.el9_4.4.x86_64

Here’s the announcement from Alma and the subsequent patch that was applied (you can see the openssh version above matches the patched version to check for post-patch):  https://almalinux.org/blog/2024-07-01-almalinux-9-cve-2024-6387/

Alma9 is downstream of RHEL9, so you will find any patches for that platform are also applied here.  All of our SmartVPS’s are either on Alma9 with this patch, or our older VPS’s are on Centos7 (RHEL7) which was never actually affected by the vulnerability.  More details to prove that Centos7 (a downstream OS of RHEL7) are not vulnerable can be found here.  Specifically:

RHEL 9 is the only affected version. RHEL 6, 7, and 8 all utilize an older version of OpenSSH which was never affected by this vulnerability.

So in summary:  We got your back and always patch high risk zero day vulnerabilities across our system whenever they come out, without telling you.  Unfortunately some scanners won’t be able to tell, since the fixes are backported into the older SSH version and you’ll have to let them know so they can make an exception in your scan, but they definitely should still pass you without issue.

If passing this scan is still an issue you could lock down port 22 (SSH) to only you and your devs IP’s, effectively closing SSH to the world, which will also let the scanner run and finish without finding any results.  But since your openssh version is patched and secure you should not have to do this in order to pass.

Let us know if you have any questions!

About Oban

Oban manages the Brownrice Internet staff, keeps the network humming, and chases his wife and twin boys around during his time off.