TPS-2025-002 Debian 12 LX image from 2024-07-26 has static SSH host keys

March 13, 2025

Overview

Per today’s email to SmartOS and Triton discussion lists, we are are taking down image 60f76fd2-143f-4f57-819b-1ae32684e81b from our image repository today. That image has pre-generated SSH host keys. Unless an LX zone had regenerated these keys, they are shared across all LX zones running that image.

Actions Taken by Us

Prior to the aforementioned discovery, we had updated the Debian 12 LX image to 28f872d5-8227-4f7d-b8f6-30bd5db1f1ac (dated 2025-01-20). We have removed image 60f76fd2-143f-4f57-819b-1ae32684e81b (dated 2024-07-06) completely.

Actions You Need to Take

This issue can be fully mitigated. We strongly recommend, however, also expunging this image from your SmartOS or Triton deployment, and rebuilding affected LX zones if possible.

The three specific actions are: detection, rebuilding or mitigating, and expungement.

Detect affected LX zones

It is critical to detect if any LX zones are running with this image. Both stand-alone SmartOS and Triton users will use different tools for this.

Detection for stand-alone SmartOS users

Execute the following command from global-zone as root:

   vmadm list image_uuid=60f76fd2-143f-4f57-819b-1ae32684e81b

Detection for Triton operators

Execute the following command from the headnode’s global zone as root.

   sdc-vmadm list image_uuid=60f76fd2-143f-4f57-819b-1ae32684e81b

Rebuild or mitigate

After detection, either rebuild the LX zone using a later Debian 12 image, or if you cannot rebuild the zone, you can regenerate the SSH host keys inside each affected zone like so:

   rm /etc/ssh/ssh_host_*
   /usr/bin/ssh-keygen -A -v
   systemctl restart ssh.service

and notify your zones’ users about this.

Expunge the vulnerable image

Triton operators should execute the following command from the headnode’s global zone as root.

   sdc-imgadm disable 60f76fd2-143f-4f57-819b-1ae32684e81b

SmartOS users should be able to delete the image if no LX zones are using it:

   imgadm delete 60f76fd2-143f-4f57-819b-1ae32684e81b

if that command produces an error mentioning dependent clones, there are VMs still using that image.

Support

If you are a MNX customer and have any further questions or concerns after reading the information provided above, please contact MNX Support.

If you are an Open Source SmartOS/Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.

References

Mailing list email