Backdoored library loaded into SSHD (CVE-2024-3094)

​

Event Information

​

Meaning

• This event indicates that a backdoored library has been loaded into the SSHD process in the Kubernetes cluster, potentially compromising the security of the system.
• To investigate further, you can check the logs of the SSHD pod where the event occurred using the following command: kubectl logs <sshd-pod-name>
• To mitigate this issue, you should immediately remove the compromised SSHD pod from the cluster and replace it with a clean, secure version using the following command: kubectl delete pod <sshd-pod-name>

​

Remediation

• Create a ConfigMap containing the updated SSHD configuration to remove the backdoored library:

  kubectl create configmap sshd-config --from-file=sshd_config_updated
  

• Update the SSHD Deployment to mount the ConfigMap containing the updated configuration:

  kubectl set volume deployment/sshd-deployment --add --name=sshd-config-volume --type=configmap --configmap-name=sshd-config --mount-path=/etc/sshd
  

• Rollout the updated SSHD Deployment to apply the remediation changes:

  kubectl rollout restart deployment/sshd-deployment