CVE-2024-21653: 
Python vulnerability analysis and mitigation

CVE-2024-21653 affects the vantage6 technology, which is used for managing and deploying privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). The vulnerability was discovered and disclosed in January 2024, affecting all versions prior to 4.2.0. The issue stems from nodes and servers receiving a default SSH configuration that permits root login with password authentication (NVD, GitHub Advisory).

The vulnerability involves an insecure default SSH configuration in the node and server containers that allows root login with password authentication. While in proper deployments the SSH service should not be exposed, making the risk minimal, not all deployments follow ideal security practices. The issue has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) by NVD and 6.5 (MEDIUM) by GitHub, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

If exploited, this vulnerability could potentially allow unauthorized access to the root account of affected nodes and servers in deployments where the SSH service is exposed. This could lead to complete system compromise, as root access grants full control over the affected container (GitHub Advisory).

The vulnerability has been patched in version 4.2.0 of vantage6. For users unable to upgrade immediately, the recommended workaround is to remove the SSH part from the docker file and rebuild the docker image. The development team has indicated they may completely remove the SSH option in future versions, potentially making it available only in debug mode when necessary (GitHub Advisory).