On Monday July 1st, 2024 details were published on CVE-2024-6387 - a signal handler race condition vulnerability in OpenSSH. The Broadcom Product Security and Incident Response Team (PSIRT) - VMware Cloud Foundation Division (VCFD) has evaluated this vulnerability and its impact on VMware Cloud Foundation products.

Evaluation Details

• Broadcom PSIRT - VCFD has evaluated the vulnerability to be in the Important/High severity range with a CVSSv3.1 base score of 8.1 (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
• The vulnerability has only been demonstrated to be exploitable on some 32-bit Linux operating systems in a controlled environment.
• The vulnerability has not been demonstrated on any 64-bit operating system at the time of this publication.
• Currently supported VMware Cloud Foundation product releases are 64-bit.
• OpenSSH versions starting with 8.5p1 are impacted by this vulnerability.

Product Impact (In-Progress)

Not Impacted (does not ship with vulnerable versions of OpenSSH):

• vCenter Server 7.x
• Aria Operations 8.12.x
• Aria Operations 8.10.x
• Aria Operations for Logs 8.12.x
• Aria Operations for Networks 6.13.x
• Aria Lifecycle 8.18
• NSX 4.x
• NSX-T Datacenter 3.x
• VCF SDDC Manager 5.0.x
• VCF SDDC Manager 4.x
• VMware Cloud Director 10.5.x
• VMware Cloud Director 10.4.x
• VMware Identity Manager 3.3.x
• VMware TKrs 1.26.13
• VMware TKrs 1.27.11 (Photon)
• VMware TKrs 1.30.1 and above
• VMware vCloud Usage Meter 4.7.x
• VMware Cloud Provider Lifecycle Manager 1.6.x
• VMware Cloud Provider Lifecycle Manager 1.5.x
• VMware Cloud Provider Lifecycle Manager 1.4.x
• VMware HCX Interconnect Appliance (HCX-IX) 4.9.1
• VMware HCX Network Extension Appliance (IX-BE) 4.9.1
• VMware HCX WAN Optimization Appliance (WAN-OPT) 4.9.1
• VMware HCX Sentinel Data Receiver Appliance (SDR) 4.9.1
• VMware HCX Sentinel Gateway Appliance (SGW) 4.9.1

Potentially Impacted (ships with vulnerable versions of OpenSSH, but are 64-bit):

• ESXi 8.x
• ESXi 7.x
• vCenter Server 8.x
• Aria Operations 8.18.x
• Aria Operations 8.17.x
• Aria Operations 8.16.x
• Aria Operations 8.14.x
• Aria Operations for Logs 8.18.x
• Aria Operations for Logs 8.16.x
• Aria Operations for Logs 8.14.x
• Aria Automation 8.18.x
• Aria Automation 8.17.x
• Aria Automation 8.16.x
• Aria Automation Orchestrator 8.18.x
• Aria Automation Orchestrator 8.17.x
• Aria Automation Orchestrator 8.16.x
• VCF SDDC Manager 5.2.x
• VCF SDDC Manager 5.1.x
• VMware Cloud Director 10.6
• VMware TKrs 1.29.4 (Photon & Ubuntu)
• VMware TKrs 1.28.8 (Photon & Ubuntu)
• VMware TKrs 1.27.11 (Ubuntu)
• VMware Site Recovery Manager 9.x
• VMware Site Recovery Manager 8.8.x
• VMware vSphere Replication 9.x
• VMware vSphere Replication 8.8.x
• VMware vCloud Usage Meter 4.8.x
• VMware Cloud Provider Lifecycle Manager 1.7.x
• VMware HCX Manager 4.9.1

Impacted (ship vulnerable versions of OpenSSH and are 32-bit)

• None

Workarounds

The VMware Cloud Foundation Division continues to recommend that SSH should remain disabled (disabled by default) in production environments. Please see product-specific documentation for details on how to disable SSH if it has been enabled. Alternative workarounds are not recommended and may have functional impacts on a product if implemented without published instructions. If additional workarounds are tested and approved they will be mentioned in the 'Product Impact' section above.

Resolution

Regardless of the exploitability of CVE-2024-6387; VMware Cloud Foundation products will consume versions of OpenSSH that are not potentially vulnerable to CVE-2024-6387 in previously scheduled future releases.