Broadcom VMware Cloud Foundation Division response to CVE-2024-6387 - OpenSSH signal handler race condition vulnerability
Article ID: 371126
Updated On:
Products
VMware Cloud Foundation
Issue/Introduction
On Monday July 1st, 2024 details were published on CVE-2024-6387 - a signal handler race condition vulnerability in OpenSSH. The Broadcom Product Security and Incident Response Team (PSIRT) - VMware Cloud Foundation Division (VCFD) has evaluated this vulnerability and its impact on VMware Cloud Foundation products.
Evaluation Details
- Broadcom PSIRT - VCFD has evaluated the vulnerability to be in the Important/High severity range with a CVSSv3.1 base score of 8.1 (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
- The vulnerability has only been demonstrated to be exploitable on some 32-bit Linux operating systems in a controlled environment.
- The vulnerability has not been demonstrated on any 64-bit operating system at the time of this publication.
- Currently supported VMware Cloud Foundation product releases are 64-bit.
- OpenSSH versions starting with 8.5p1 are impacted by this vulnerability.
Product Impact (In-Progress)
Not Impacted (does not ship with vulnerable versions of OpenSSH):
- vCenter Server 7.x
- Aria Operations 8.12.x
- Aria Operations 8.10.x
- Aria Operations for Logs 8.12.x
- Aria Operations for Networks 6.13.x
- Aria Lifecycle 8.18
- NSX 4.x
- NSX-T Datacenter 3.x
- VCF SDDC Manager 5.0.x
- VCF SDDC Manager 4.x
- VMware Cloud Director 10.5.x
- VMware Cloud Director 10.4.x
- VMware Identity Manager 3.3.x
- VMware TKrs 1.26.13
- VMware TKrs 1.27.11 (Photon)
- VMware TKrs 1.30.1 and above
- VMware vCloud Usage Meter 4.7.x
- VMware Cloud Provider Lifecycle Manager 1.6.x
- VMware Cloud Provider Lifecycle Manager 1.5.x
- VMware Cloud Provider Lifecycle Manager 1.4.x
- VMware HCX Interconnect Appliance (HCX-IX) 4.9.1
- VMware HCX Network Extension Appliance (IX-BE) 4.9.1
- VMware HCX WAN Optimization Appliance (WAN-OPT) 4.9.1
- VMware HCX Sentinel Data Receiver Appliance (SDR) 4.9.1
- VMware HCX Sentinel Gateway Appliance (SGW) 4.9.1
Potentially Impacted (ships with vulnerable versions of OpenSSH, but are 64-bit):
- ESXi 8.x
- ESXi 7.x
- vCenter Server 8.x
- Aria Operations 8.18.x
- Aria Operations 8.17.x
- Aria Operations 8.16.x
- Aria Operations 8.14.x
- Aria Operations for Logs 8.18.x
- Aria Operations for Logs 8.16.x
- Aria Operations for Logs 8.14.x
- Aria Automation 8.18.x
- Aria Automation 8.17.x
- Aria Automation 8.16.x
- Aria Automation Orchestrator 8.18.x
- Aria Automation Orchestrator 8.17.x
- Aria Automation Orchestrator 8.16.x
- VCF SDDC Manager 5.2.x
- VCF SDDC Manager 5.1.x
- VMware Cloud Director 10.6
- VMware TKrs 1.29.4 (Photon & Ubuntu)
- VMware TKrs 1.28.8 (Photon & Ubuntu)
- VMware TKrs 1.27.11 (Ubuntu)
- VMware Site Recovery Manager 9.x
- VMware Site Recovery Manager 8.8.x
- VMware vSphere Replication 9.x
- VMware vSphere Replication 8.8.x
- VMware vCloud Usage Meter 4.8.x
- VMware Cloud Provider Lifecycle Manager 1.7.x
- VMware HCX Manager 4.9.1
Impacted (ship vulnerable versions of OpenSSH and are 32-bit)
- None
Resolution
Workarounds
The VMware Cloud Foundation Division continues to recommend that SSH should remain disabled (disabled by default) in production environments. Please see product-specific documentation for details on how to disable SSH if it has been enabled. Alternative workarounds are not recommended and may have functional impacts on a product if implemented without published instructions. If additional workarounds are tested and approved they will be mentioned in the 'Product Impact' section above.
Resolution
Regardless of the exploitability of CVE-2024-6387; VMware Cloud Foundation products will consume versions of OpenSSH that are not potentially vulnerable to CVE-2024-6387 in previously scheduled future releases.
Additional Information
- 07/02/2024 - Added products to Not Impacted and Potentially Impacted sections
- VMware Aria Operations for Logs
- VCF SDDC Manager
- VMware Cloud Director
- NSX & NSX-T Datacenter
- VMware Identity Manager
- 07/03/2024 - Added products to Not Impacted and Potentially Impacted sections
- VMware Aria Automation
- VMware Automation Orchestrator
- VMware TKrs
- 07/04/2024 - Added products to Not Impacted and Potentially Impacted sections
- VMware Cloud Provider Lifecycle Manager
- Usage Meter
- VMware Site Recover Manager
- VMware vSphere Replication
- 07/05/2024 - Added products to Not Impacted section
- VMware Cloud Provider Lifecycle Manager
- 07/08/2024 - Added products to Not Impacted and Potentially Impacted sections
- VMware HCX
- 09/30/2024 - ESXi 8.0 U3b no longer contains vulnerable version
- 10/04/2024 - vCenter Server 8.0 U3b openSSH is updated to 8.9p1-8 and no longer contains vulnerable version
- 10/25/2024-VM TKRs version 1.30.1 and above releases do not contain the vulnerable version of openssh
Broadcom VMware Cloud Foundation Division の CVE-2024-6387 に対する対応 - OpenSSH シグナル ハンドラー競合状態の脆弱性
- 02/20/2025 - Added Aria Suite Lifecycle to not impacted list as its based on Photon v3.0. This CVE affects openssh from (including) 8.6 Up to (excluding) 9.8 LCM 8.18 is on 7.8p1 in Ph3. https://photonsecurity.lvn.broadcom.net/cveview
- 03/28/2025- Aria operations 8.18 HF1 no longer contains the vulnerable openssh version.
- 8/8/2024 - Aria operations for Logs 8.18 HF1 no longer contains the vulnerable openssh version.
- 05/20/2025 - ESXi 7.0 U3v no longer contains vulnerable version
VMware ESXi 7.0 Update 3v Release Notes (PR 3408358: Security scans on ESXi hosts with OpenSSH 8.8 show multiple CVEs)
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-70u3v-release-notes.html
Feedback
Yes
No
Powered by
