On Monday July 1st, 2024 details were published on CVE-2024-6387 - a signal handler race condition vulnerability in OpenSSH. The Broadcom Product Security and Incident Response Team (PSIRT) - Software Defined Edge Division (SDE) has evaluated this vulnerability and its impact on SDE products.

Broadcom PSIRT - VCFD has evaluated the vulnerability to be in the Important/High severity range with a CVSSv3.1 base score of 8.1 (Common Vulnerability Scoring System Version 3.1 Calculator).

• The vulnerability has only been demonstrated to be exploitable on some 32-bit Linux operating systems in a controlled environment.
  
  
• The vulnerability has not been demonstrated on any 64-bit operating system at the time of this publication.
  
  
• Currently supported VMware VeloCloud SD-WAN product releases are 64-bit.
  
  
• OpenSSH versions starting with 8.5p1 are impacted by this vulnerability.

Not Impacted (does not ship with vulnerable versions of OpenSSH):

• VMware VeloCloud SD-WAN Orchestrator 5.0.x, 5.1.x, 5.2.x, 5.4.x
  
  
• VMware VeloCloud SD-WAN Gateway 5.0.x, 5.1.x, 5.2.x, 5.4.x
  
  
  

Potentially Impacted (ships with vulnerable versions of OpenSSH, but are 64-bit):

• VMware VeloCloud SD-WAN Orchestrator 6.0.X
  
  
• VMware VeloCloud SD-WAN Gateway 6.0.x
  
  
• VMware VeloCloud SD-WAN Edge 4.5.x, 5.0.x, 5.1.x, 5.2.x, 5.4.x, 6.0.x

Impacted (ships with vulnerable versions of OpenSSH and are 32-bit)

• None

Workaround / Resolution:

The SDE Division continues to recommend that SSH should be secured by only allowing trusted source IPs in the Support Access section of the Edge firewall configuration tab. Please see product-specific documentation for more details.  Alternative workarounds are not recommended and may have functional impacts on a product if implemented without published instructions. If additional workarounds are tested and approved they will be mentioned in the 'Product Impact' section above.

Instances of VMware VeloCloud SD-WAN Orchestrator and Gateway that are hosted by Broadcom have SSH ports restricted to a select set of systems and are not open to all. For on-prem VMware VeloCloud SD-WAN, administrator must make sure only trusted IPs are allowed in the Support Access section of the Edge firewall configuration tab.

Regardless of the exploitability of CVE-2024-6387; SDE products will consume versions of OpenSSH that are not potentially vulnerable to CVE-2024-6387 in previously scheduled future releases.

This is an ongoing event, please subscribe to receive updates when this article is updated.