RIght, sorry, I only read the last status message.
Here’s some nix-fu for checking whether you have the backported patch:
nix derivation show $(which ssh) | jq -r '.[].inputSrcs[]' | grep CVE-2024
3 Likes
I believe you need $(readlink -f $(which ssh)), otherwise it’ll be looking at the derivation that produced your /run/current-system/sw/bin, rather than the OpenSSH one. (So don’t panic if this seems to indicate you’re still vulnerable.)
6 Likes
Can we determine if a nixos machine is patched with a tool like vulnix?
Yes, vulnix -R $(readlink -f $(which ssh)) will show you if there is an active advisory on it or not. Under the hood, it does something similar to what the nix derivation show/jq/grep proposed a few posts ago does.
2 Likes
It’s worth noting that all these snippets rely on the contents of $PATH, which may or may not match up with whatever is running in the systemd service, especially if user channels or other heavier customization is involved. It’ll work most of the time, of course, but it might not, which is a bit scary. I can’t think of a simple, foolproof and generic check either, though.
Maybe we could make this easier upstream? What do other distros do? “Sadly” this CVE takes too long to exploit to write a simple distro-independent vulnerability checker for it.
3 Likes
Would vulnix -S help with that? Not sure if we can filter to only get openssh result? Otherwise, I guess it would take a while to scan everything.
Not 100% foolproof and generic, but I was doing this to see which sshd are running at the moment:
for p in $(pidof sshd); do readlink /proc/$p/exe; done | sort | uniq -c
Note in particular that switching the systemd service won’t immediately replace all of them. Thankfully, as for servers you’re probably doing the update over ssh.
1 Like