Is proxmox affected by ths one ?? - Systemd vsock sshd - Vulnerability

B

Bingo600

New Member
Aug 15, 2024
22
1
3
Just noticed this one on mailinglist : oss-security

It refers to this one.
https://www.openwall.com/lists/oss-security/2025/12/28/4

Is proxmox affected ??


How does one (easiest) tell sshd to "ignore" vsock ?
Or disable this "new feature" :eek:

/Bingo


My (Fully updated) Proxmox 9.1.4 shows:

Code: 
# systemctl --version
systemd 257 (257.9-1~deb13u1)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +IPE +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +BTF -XKBCOMMON -UTMP +SYSVINIT +LIBARCHIVE
 
Last edited:
Just noticed this file:
/etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf

Code: 
# SPDX-License-Identifier: LGPL-2.1-or-later
#
# Allow connecting to the local host directly via ".host"
Host .host machine/.host
        ProxyCommand /usr/lib/systemd/systemd-ssh-proxy unix/run/ssh-unix-local/socket %p
        ProxyUseFdpass yes
        CheckHostIP no

# Make sure unix/* and vsock/* can be used to connect to AF_UNIX and AF_VSOCK paths.
# Make sure machine/* can be used to connect to local machines registered in machined.
#
Host unix/* vsock/* machine/*
        ProxyCommand /usr/lib/systemd/systemd-ssh-proxy %h %p
        ProxyUseFdpass yes
        CheckHostIP no

        # Disable all kinds of host identity checks, since these addresses are generally ephemeral.
        StrictHostKeyChecking no
        UserKnownHostsFile /dev/null

Would the line
Host unix/* vsock/* machine/*

Be where to fiddle?


Not super keen on loosing my ssh access to the proxmox hypervisor.
 
Last edited:
Bingo600 said:
Just noticed this file:
/etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf

Code: 
# SPDX-License-Identifier: LGPL-2.1-or-later
#
# Allow connecting to the local host directly via ".host"
Host .host machine/.host
        ProxyCommand /usr/lib/systemd/systemd-ssh-proxy unix/run/ssh-unix-local/socket %p
        ProxyUseFdpass yes
        CheckHostIP no

# Make sure unix/* and vsock/* can be used to connect to AF_UNIX and AF_VSOCK paths.
# Make sure machine/* can be used to connect to local machines registered in machined.
#
Host unix/* vsock/* machine/*
        ProxyCommand /usr/lib/systemd/systemd-ssh-proxy %h %p
        ProxyUseFdpass yes
        CheckHostIP no

        # Disable all kinds of host identity checks, since these addresses are generally ephemeral.
        StrictHostKeyChecking no
        UserKnownHostsFile /dev/null

Would the line
Host unix/* vsock/* machine/*

Be where to fiddle?


Not super keen on loosing my ssh access to the proxmox hypervisor.
Click to expand...
that file is part of the global config file for the ssh client. it has nothing to do with sshd.
My understanding of https://www.openwall.com/lists/oss-security/2025/12/28/4 is that the generator in question will run on the VM and setup a socket activated sshd that will be reachable via a AF_VSOCKET if such a thing is available on the hypervisor (proxmox) and may be the VM.
Where it is a bit problematic is that those type of scokets are not "namesapacable", i.e any container running on the same hypervisor can see and reach any sshd listening on the other end, thus breaking container isolation.
Or something along those lines, I'd be more than happy to be corrected if my understanding is wrong or lacking.
 
Last edited:
You must log in or register to reply here.
Top Bottom