On Monday July 1st, 2024 details were published on CVE-2024-6387 - a signal handler race condition vulnerability in OpenSSH. The Broadcom Product Security and Incident Response Team (PSIRT) - VMware Cloud Foundation Division (VCFD) has evaluated this vulnerability and its impact on VMware Cloud Foundation products.

Evaluation Details

• Broadcom PSIRT - VCFD has evaluated the vulnerability to be in the Important/High severity range with a CVSSv3.1 base score of 8.1 (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
• The vulnerability has only been demonstrated to be exploitable on some 32-bit Linux operating systems in a controlled environment.
• The vulnerability has not been demonstrated on any 64-bit operating system at the time of this publication.
• Currently supported VMware Cloud Foundation product releases are 64-bit.
• OpenSSH versions starting with 8.5p1 are impacted by this vulnerability.

Product Impact (In-Progress)

Not Impacted (does not ship with vulnerable versions of OpenSSH):

• vCenter Server 7.x
• Aria Operations 8.12.x
• Aria Operations 8.10.x
• Aria Operations for Logs 8.12.x
• Aria Operations for Networks 6.13.x
• Aria Operations for Networks 6.14.x
• Aria Lifecycle 8.18
• NSX 4.x
• NSX-T Datacenter 3.x
• VCF SDDC Manager 5.0.x
• VCF SDDC Manager 4.x
• VMware Cloud Director 10.5.x
• VMware Cloud Director 10.4.x
• VMware Cloud Director 10.6.1.2
• VMware Identity Manager 3.3.x
• VMware TKrs 1.26.13
• VMware TKrs 1.27.11 (Photon)
• VMware TKrs 1.30.1 and above
• VMware vCloud Usage Meter 4.7.x
• VMware Cloud Provider Lifecycle Manager 1.6.x
• VMware Cloud Provider Lifecycle Manager 1.5.x
• VMware Cloud Provider Lifecycle Manager 1.4.x
• VMware HCX Interconnect Appliance (HCX-IX) 4.9.1
• VMware HCX Network Extension Appliance (IX-BE) 4.9.1
• VMware HCX WAN Optimization Appliance (WAN-OPT) 4.9.1
• VMware HCX Sentinel Data Receiver Appliance (SDR) 4.9.1
• VMware HCX Sentinel Gateway Appliance (SGW) 4.9.1
• Any / All VCF 9.x components not explicitly indicated in the next list immediately below.

VCF Components that contain the same OpenSSH version number listed in the CVE but that are not impacted by the vulnerability since it applies only to 32-bit implementations that VCF does not deploy or use.

• ESXi 8.x
• ESXi 7.x
• vCenter Server 8.x
• Aria Operations 8.18.x
• Aria Operations 8.17.x
• Aria Operations 8.16.x
• Aria Operations 8.14.x
• Aria Operations for Logs 8.18.x
• Aria Operations for Logs 8.16.x
• Aria Operations for Logs 8.14.x
• Aria Automation 8.18.x
• Aria Automation 8.17.x
• Aria Automation 8.16.x
• Aria Automation Orchestrator 8.18.x
• Aria Automation Orchestrator 8.17.x
• Aria Automation Orchestrator 8.16.x
• VCF SDDC Manager 5.2.x
• VCF SDDC Manager 5.1.x
• VMware TKrs 1.29.4 (Photon & Ubuntu)
• VMware TKrs 1.28.8 (Photon & Ubuntu)
• VMware TKrs 1.27.11 (Ubuntu)
• VMware Site Recovery Manager 9.x
• VMware Site Recovery Manager 8.8.x
• VMware vSphere Replication 9.x
• VMware vSphere Replication 8.8.x
• VMware vCloud Usage Meter 4.8.x
• VMware Cloud Provider Lifecycle Manager 1.7.x
• VMware HCX Manager 4.9.1
• VMware NSX 9.0
• VCF Operations for Networks 9.0
• VCF Supervisor Services 9.0

Impacted (ship vulnerable versions of OpenSSH and are 32-bit)

• None

Note: Disabling SSH on VMware SDDC Manager will affect the following:

1. Rotation of the backup user account password on the SDDC Manager.
2. Backup and restore operations on the SDDC Manager.