On Sat, Jun 29, 2024 at 9:30 AM jonathon575 <[email protected]> wrote: > > Greetings, > > We are experiencing extensive attacks including zero-click exploits with > fileless malware from corrupted ISP/adversary, therefore, online system > updating/upgrading is not possible. > > For the current release 7.5, specifically for security patches, if we > downloaded the security patches located at any of the mirror links, for > example, > > https://mirror.hs-esslingen.de/pub/OpenBSD/syspatch/7.5/amd64/ > > manually verified the signature with signify, then changed the online path > under /etc/installurl to point to the usb/location that contains the > downloaded security patch files, and then executed the command syspatch, > usually, the security patch files gets pulled from the pointed physical > location and gets updated, however, my question is, would that be sufficient > for patching the system, or do we actually have to compile from source and > include the security patch files in the compilation process?. > > We are applying the same process for firmware files, fw_update -p > ./firmware_files > > Any suggestions to mitigate the zero-click exploit with fileless malware > attacks. Please advise. In the firewall rules, one of the main purposes of > block all rule is to make the attacker completely blind of the system being > implemented, however, updating online completely defies the purpose of block > all, because it helps a corrupted adversary monitoring the transmission > figure out the server/site connecting to, in our case bsd, therefore, > revealing the platform being implemented and lunching an attack targeted to > that specific platform.
While the process of doing an offline sysupgrade is an interesting question as-is, I'm curious: what exactly do you mean by "exploits" here, and which patch do you think would solve the problem? I don't see anything serious that would be relevant to a headless server, and if you're claiming that an attacker can exploit your OpenBSD 7.5 server by doing some MITM on the wire then I think the developers would be very interested in hearing about the details!
