Broadcom VMware Cloud Foundation Division response to CVE-2024-6387 - OpenSSH signal handler race condition vulnerability
search cancel

Broadcom VMware Cloud Foundation Division response to CVE-2024-6387 - OpenSSH signal handler race condition vulnerability

book

Article ID: 371126

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

On Monday July 1st, 2024 details were published on CVE-2024-6387 - a signal handler race condition vulnerability in OpenSSH. The Broadcom Product Security and Incident Response Team (PSIRT) - VMware Cloud Foundation Division (VCFD) has evaluated this vulnerability and its impact on VMware Cloud Foundation products.

 

Evaluation Details

  • Broadcom PSIRT - VCFD has evaluated the vulnerability to be in the Important/High severity range with a CVSSv3.1 base score of 8.1 (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
  • The vulnerability has only been demonstrated to be exploitable on some 32-bit Linux operating systems in a controlled environment.
  • The vulnerability has not been demonstrated on any 64-bit operating system at the time of this publication.
  • Currently supported VMware Cloud Foundation product releases are 64-bit.
  • OpenSSH versions starting with 8.5p1 are impacted by this vulnerability.

 

Product Impact (In-Progress)

Not Impacted (does not ship with vulnerable versions of OpenSSH):

  • vCenter Server 7.x
  • Aria Operations 8.12.x
  • Aria Operations 8.10.x
  • Aria Operations for Logs 8.12.x
  • Aria Operations for Networks 6.13.x
  • NSX 4.x
  • NSX-T Datacenter 3.x
  • VCF SDDC Manager 5.0.x
  • VCF SDDC Manager 4.x
  • VMware Cloud Director 10.5.x
  • VMware Cloud Director 10.4.x
  • VMware Identity Manager 3.3.x
  • VMware TKrs 1.26.13
  • VMware TKrs 1.27.11 (Photon)
  • VMware TKrs 1.30.1 and above
  • VMware vCloud Usage Meter 4.7.x
  • VMware Cloud Provider Lifecycle Manager 1.6.x
  • VMware Cloud Provider Lifecycle Manager 1.5.x
  • VMware Cloud Provider Lifecycle Manager 1.4.x
  • VMware HCX Interconnect Appliance (HCX-IX) 4.9.1
  • VMware HCX Network Extension Appliance (IX-BE) 4.9.1
  • VMware HCX WAN Optimization Appliance (WAN-OPT) 4.9.1
  • VMware HCX Sentinel Data Receiver Appliance (SDR) 4.9.1
  • VMware HCX Sentinel Gateway Appliance (SGW) 4.9.1

Potentially Impacted (ships with vulnerable versions of OpenSSH, but are 64-bit):

  • ESXi 8.x
  • ESXi 7.x
  • vCenter Server 8.x
  • Aria Operations 8.18.x
  • Aria Operations 8.17.x
  • Aria Operations 8.16.x
  • Aria Operations 8.14.x
  • Aria Operations for Logs 8.18.x
  • Aria Operations for Logs 8.16.x
  • Aria Operations for Logs 8.14.x
  • Aria Automation 8.18.x
  • Aria Automation 8.17.x
  • Aria Automation 8.16.x
  • Aria Automation Orchestrator 8.18.x
  • Aria Automation Orchestrator 8.17.x
  • Aria Automation Orchestrator 8.16.x
  • VCF SDDC Manager 5.2.x
  • VCF SDDC Manager 5.1.x
  • VMware Cloud Director 10.6
  • VMware TKrs 1.29.4 (Photon & Ubuntu)
  • VMware TKrs 1.28.8 (Photon & Ubuntu)
  • VMware TKrs 1.27.11 (Ubuntu)
  • VMware Site Recovery Manager 9.x
  • VMware Site Recovery Manager 8.8.x
  • VMware vSphere Replication 9.x
  • VMware vSphere Replication 8.8.x
  • VMware vCloud Usage Meter 4.8.x
  • VMware Cloud Provider Lifecycle Manager 1.7.x
  • VMware HCX Manager 4.9.1

Impacted (ship vulnerable versions of OpenSSH and are 32-bit)

  • None

Resolution

Workarounds

The VMware Cloud Foundation Division continues to recommend that SSH should remain disabled (disabled by default) in production environments. Please see product-specific documentation for details on how to disable SSH if it has been enabled. Alternative workarounds are not recommended and may have functional impacts on a product if implemented without published instructions. If additional workarounds are tested and approved they will be mentioned in the 'Product Impact' section above.

 

Resolution

Regardless of the exploitability of CVE-2024-6387; VMware Cloud Foundation products will consume versions of OpenSSH that are not potentially vulnerable to CVE-2024-6387 in previously scheduled future releases.

This is an ongoing event, please subscribe to receive updates when this article is updated.

Additional Information

  • 07/02/2024 - Added products to Not Impacted and Potentially Impacted sections
    • VMware Aria Operations for Logs
    • VCF SDDC Manager
    • VMware Cloud Director
    • NSX & NSX-T Datacenter
    • VMware Identity Manager
  • 07/03/2024 - Added products to Not Impacted and Potentially Impacted sections
    • VMware Aria Automation
    • VMware Automation Orchestrator
    • VMware TKrs
  • 07/04/2024 - Added products to Not Impacted and Potentially Impacted sections
    • VMware Cloud Provider Lifecycle Manager
    • Usage Meter
    • VMware Site Recover Manager
    • VMware vSphere Replication
  • 07/05/2024 - Added products to Not Impacted section
    • VMware Cloud Provider Lifecycle Manager
  • 07/08/2024 - Added products to Not Impacted and Potentially Impacted sections
    • VMware HCX
  • 09/30/2024 - ESXi 8.0 U3b no longer contains vulnerable version
  • 10/04/2024 - vCenter Server 8.0 U3b openSSH is updated to 8.9p1-8 and no longer contains vulnerable version
  • 10/25/2024-VM TKRs  version 1.30.1 and above releases do not contain the vulnerable version of openssh
Powered by Wolken Software