OpenSSH Vulnerabilities

davemcdermid · February 13, 2025, 8:34am

Hi,

Our IT Security team have informed us that the devices we have running Torizon OS 7.2.0 are using a version of OpenSSH below 9.8 (9.6), which means there are known exploits. I believe it’s this one they are referring to: CVE-2024-39894. I have 2 questions.

Can we expect this to be resolved in the next version of Torizon OS?
Are there any mitigations we can apply?

We use Torizon Remote Shell to connect to the devices, so direct SSH over the network isn’t required - what would you advise for hardening the device security?

Thanks

ToradexAI · February 13, 2025, 8:35am

Hi, I’m the Toradex AI Assistant. The Toradex Support team will follow up with you shortly!

Did you like my answer?

Hello,

Thank you for reaching out with your concerns about OpenSSH vulnerabilities on your devices running Torizon OS 7.2.0. Let me address your questions:

Resolution in Future Torizon OS Versions:
Toradex is committed to regularly updating Torizon OS to include the latest security patches and software updates. While I can’t provide a specific timeline for when OpenSSH 9.8 or later will be included, it’s important to keep your Torizon OS updated to benefit from ongoing security enhancements.
Mitigations and Security Hardening:
Since you are using Torizon Remote Shell, which operates under a zero-trust model, you already have a layer of enhanced security. Here are additional steps to further secure your devices:
- Disable Direct SSH Access: If direct SSH access over the network is not necessary, consider disabling it to reduce exposure.
- Use Strong Authentication: Ensure that any remote access, including Torizon Remote Shell, employs strong authentication methods, such as SSH keys instead of passwords.
- Regularly Update Software: Keep all software, including Torizon OS and any applications, up to date to mitigate vulnerabilities.
- Network Security: Implement network-level security measures, such as firewalls, to restrict unauthorized access.
- Monitor and Audit: Regularly monitor access logs and audit device activity to detect any suspicious behavior.

By leveraging Torizon Remote Access and following these best practices, you can significantly enhance the security of your devices. If you have further questions or need more detailed guidance, feel free to ask.

Best regards,
Toradex AI Assistant

Please, also check if these links can help you solve your problem:

https://docs.kernel.org/admin-guide/kernel-parameters.html

https://developer.toradex.com/torizon/security/.

bruno.tx · February 13, 2025, 1:48pm

Hello @davemcdermid,

Patches for vulnerabilities are usually backported to previous software releases.
This is done either by the upstream layer or by Toradex.

In the specific case for CVE-2024-39894, it has been patched by the upstream layer.
Looking specifically at the 7.2.0-devel-202502 monthly pre-release, you can check the hash of the openembedded-core layer:

<project name="openembedded-core.git" path="layers/openembedded-core" remote="oe" revision="62cb12967391db709315820d48853ffa4c6b4740" upstream="scarthgap"/>

Looking then at the OpenSSH at this hash, you can see that this patch is included:

file://CVE-2024-39894.patch \

In fact, this is still true if you go to the first monthly release of Torizon OS 7, 7.0.0-devel-202409. The recipe still includes this fix.

Therefore, no release of Torizon OS 7 was ever affected by this vulnerability.

We are working on better ways to understand what CVEs may or may not apply to a Torizon OS image, so that this process is easier.
One of the ways we do that is by making a .cve file available alongside our releases.
For the 7.2.0-devel-202502 monthly pre-release, you can check the .cve file here.
There you can also see that the CVE-2024-39894 vulnerability is patched.

Regarding the ability to disable local ssh, I need to double check if this has unintended effects for the Torizon Cloud remote access.
Once I have been able to confirm that, I will send an update here.

Best Regards,
Bruno

davemcdermid · February 13, 2025, 2:45pm

Hi Bruno,

Thanks for the info, that is exactly what I needed. The CVE file provided o the Artifacts site is perfect for verifying what is included for a given build.

Documentation on the correct way to disable OpenSSH for local network only would be great - I had a look through https://developer.toradex.com/torizon/security/ but couldn’t find anything on best practices for securing the device, although I’m sure you pointed me at some docs previously.

Thanks,
Dave

bruno.tx · February 14, 2025, 10:12am

Hello @davemcdermid,

To disable the local network ssh, you need to disable the sshd.socket unit:

sudo systemctl disable sshd.socket

On next boot, or by running sudo systemctl stop sshd.socket, SSH will no longer be available.
This does not affect the remote access functionality via the Torizon Cloud.

To actually get this change in a production image, you can use TorizonCore Builder.
What you need to keep in mind is that TorizonCore Builder uses ssh to get the changes from the local device, therefore you need to start (but not enable) the sshd.socket unit with sudo systemctl start sshd.socket to capture the changes from the device.

In terms of what else can be done to harden the device, there are many options.
One of them is secure boot, which most of the Security Overview | Toradex Developer Center section is dedicated to.

Best Regards,
Bruno

jon.tx · February 14, 2025, 12:44pm

Let me add that we are also currently working on an article on configuration hardening for Torizon OS. It is certainly not advisable in most cases to leave the SSH server enabled on a production device.

The Torizon remote access feature was not affected by CVE-2024-39894, even though it uses openssh’s sshd as the underlying server. This is because when you open a remote session, the service is spun up on-demand, with a very restricted configuration generated only once the session creation metadata from the server has been validated. Password authentication is explicitly disabled, as is PAM authentication. The only form of authorization accepted is public key authentication, and therefore this vulnerability is not exploitable because it is a password keystroke timing attack.

In addition to Bruno’s excellent advice above, I would point out that we generate a full SPDX SBOM with every release, so your security team can ingest that into vulnerability monitoring tooling. The CVE scan data is generated at build time, so new vulnerabilities that didn’t exist at build time can’t be included; the SBOM allows you to keep up with emerging threats based on the actual packages built (and signed via our in-toto attestations) instead of having to rely on composition analysis tools.

And finally, I’ll tease something that we’ll be showing next month at Embedded World and making available to existing Torizon customers in early access shortly thereafter: my team and I are working on vulnerability analysis tooling, and will be making a CycloneDX SBOM with embedded Vulnerability Exchange (VEX) information available for future release versions of Torizon OS. VEX is a standard format for describing relevant information about security vulnerabilities in software, and by providing this information to our customers we intend to greatly reduce the burden of vulnerability management, as required by the Cyber Resilience Act and various other recent and emerging cybersecurity regulations. As a small preview, I can share with you an excerpt of the VEX information we will publish related to the openssh package:

    {
      "id": "CVE-2007-2768",
      "source": {
        "name": "NVD",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-2768"
      },
      "analysis": {
        "state": "not_affected",
        "detail": "STATE: not-applicable-config\nJUSTIFICATION: This CVE is specific to OpenSSH with the pam opie which we don't build/use here.\n"
      },
      "affects": [
        {
          "ref": "urn:cdx:d8e59a0e-4999-49b8-9b31-e9722cb4019f/1#pkg-openssh-9.6p1"
        }
      ]
    },
    {
      "id": "CVE-2014-9278",
      "source": {
        "name": "NVD",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9278"
      },
      "analysis": {
        "state": "not_affected",
        "detail": "STATE: not-applicable-platform\nJUSTIFICATION: This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment\n"
      },
      "affects": [
        {
          "ref": "urn:cdx:d8e59a0e-4999-49b8-9b31-e9722cb4019f/1#pkg-openssh-9.6p1"
        }
      ]
    },
    {
      "id": "CVE-2008-3844",
      "source": {
        "name": "NVD",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3844"
      },
      "analysis": {
        "state": "not_affected",
        "detail": "STATE: not-applicable-platform\nJUSTIFICATION: Only applies to some distributed RHEL binaries.\n"
      },
      "affects": [
        {
          "ref": "urn:cdx:d8e59a0e-4999-49b8-9b31-e9722cb4019f/1#pkg-openssh-9.6p1"
        }
      ]
    },
    {
      "id": "CVE-2023-51767",
      "source": {
        "name": "NVD",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51767"
      },
      "analysis": {
        "state": "not_affected",
        "detail": "STATE: upstream-wontfix\nJUSTIFICATION: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1.\n"
      },
      "affects": [
        {
          "ref": "urn:cdx:d8e59a0e-4999-49b8-9b31-e9722cb4019f/1#pkg-openssh-9.6p1"
        }
      ]
    },
    {
      "id": "CVE-2024-39894",
      "source": {
        "name": "NVD",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39894"
      },
      "analysis": {
        "state": "resolved_with_pedigree",
        "detail": "STATE: resolved-with-pedigree\nJUSTIFICATION: Fixed by Patches: ['CVE-2024-39894.patch']\n"
      },
      "affects": [
        {
          "ref": "urn:cdx:d8e59a0e-4999-49b8-9b31-e9722cb4019f/1#pkg-openssh-9.6p1"
        }
      ]
    }

As you can see, the last item on the list indicates that the vulnerability has been resolved, and lists the specific evidence justifying that. Since it’s in a standardized, machine-readable format, this can be imported into vulnerability management tooling so that you can see at a glance whether a particular vulnerability has already been analyzed. You will also be able to reference the pedigree of the resolution via the pedigree field for the package in the components portion of the SBOM.

I’m really excited to get this released. It’s not easy, and we’re having to write new tooling and processes for this in many cases. But we believe that it’s getting more and more important to have transparency and accountability in software supply chains, and that responsible suppliers in that chain shouldn’t leave all the work of vulnerability management to end users.

davemcdermid · February 14, 2025, 3:04pm

Thanks @jon.tx - that’s great to hear you’re thinking ahead on this, sounds like a useful feature for security teams.

@bruno.tx I’ve made the change as suggested in our image so the SSH socket is disabled by default. Remote access is working as expected.

Much appreciated.
Dave

bruno.tx · February 14, 2025, 4:57pm

Hello @davemcdermid,

Thanks for the update.

Best Regards,
Bruno