vantage6 insecure SSH configuration for node and server containers
Description
The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not exposed so there is no risk, but not all deployments are ideal. The default should therefore be less permissive. The vulnerability can be mitigated by removing the ssh part from the docker file and rebuilding the docker image. Version 4.2.0 patches the vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vantage6PyPI | < 4.2.0 | 4.2.0 |
Affected products
1Patches
13fcc6e6a8bd1Merge pull request from GHSA-2wgc-48g2-cj5w
2 files changed · +7 −28
docker/node-and-server.Dockerfile+7 −12 modified@@ -12,20 +12,15 @@ FROM harbor2.vantage6.ai/infrastructure/infrastructure-base:${BASE} LABEL version=${TAG} LABEL maintainer="Frank Martin <f.martin@iknl.nl>" -# Enable SSH access in Azure App service +# Update and upgrade RUN apt update -y RUN apt upgrade -y -RUN apt install openssh-server sudo -y -RUN useradd -rm -d /home/ubuntu -s /bin/bash -g root -G sudo -u 1000 test -RUN echo 'root:Docker!' | chpasswd - -COPY sshd_config /etc/ssh/ -RUN mkdir /run/sshd - -# Fix DB issue -RUN apt install python-psycopg2 -y -RUN pip install psycopg2-binary +# TODO 2024-01-09 check if this custom install is still needed. It was used to +# fix problems with the sqlalchemy dependency psycopg2 at some point. +# # Fix DB issue +# RUN apt install python-psycopg2 -y +# RUN pip install psycopg2-binary # copy source COPY . /vantage6 @@ -59,5 +54,5 @@ RUN chmod +x /vantage6/vantage6-server/server.sh # expose the proxy server port ARG port=80 -EXPOSE ${port} 2222 +EXPOSE ${port} ENV PROXY_SERVER_PORT ${port}
sshd_config+0 −16 removed@@ -1,16 +0,0 @@ -# This is ssh server systemwide configuration file. -# -# /etc/sshd_config - -Port 2222 -ListenAddress 0.0.0.0 -LoginGraceTime 180 -X11Forwarding yes -Ciphers aes128-cbc,3des-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr -MACs hmac-sha1,hmac-sha1-96 -StrictModes yes -SyslogFacility DAEMON -PasswordAuthentication yes -PermitEmptyPasswords no -PermitRootLogin yes -Subsystem sftp internal-sftp \ No newline at end of file
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-2wgc-48g2-cj5wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-21653ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/vantage6-server/PYSEC-2024-34.yamlghsaWEB
- github.com/vantage6/vantage6/commit/3fcc6e6a8bd1142fd7a558d8fdd2b246e55c8841ghsax_refsource_MISCWEB
- github.com/vantage6/vantage6/security/advisories/GHSA-2wgc-48g2-cj5wghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.