Broadcom VMware Cloud Foundation Division response to CVE-2024-6387 - OpenSSH signal handler race condition vulnerability
search cancel

Broadcom VMware Cloud Foundation Division response to CVE-2024-6387 - OpenSSH signal handler race condition vulnerability

book

Article ID: 371126

calendar_today

Updated On:

Products

VMware

Issue/Introduction

On Monday July 1st, 2024 details were published on CVE-2024-6387 - a signal handler race condition vulnerability in OpenSSH. The Broadcom Product Security and Incident Response Team (PSIRT) - VMware Cloud Foundation Division (VCFD) has evaluated this vulnerability and its impact on VMware Cloud Foundation products.

 

Evaluation Details

  • Broadcom PSIRT - VCFD has evaluated the vulnerability to be in the Important/High severity range with a CVSSv3.1 base score of 8.1 (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
  • The vulnerability has only been demonstrated to be exploitable on some 32-bit Linux operating systems in a controlled environment.
  • The vulnerability has not been demonstrated on any 64-bit operating system at the time of this publication.
  • Currently supported VMware Cloud Foundation product releases are 64-bit.
  • OpenSSH versions starting with 8.5p1 are impacted by this vulnerability.

 

Product Impact (In-Progress)

Not Impacted (does not ship with vulnerable versions of OpenSSH):

  • vCenter Server 7.x
  • Aria Operations 8.12.x
  • Aria Operations 8.10.x
  • Aria Operations for Logs 8.12.x
  • Aria Operations for Networks 6.13.x
  • NSX 4.x
  • NSX-T Datacenter 3.x
  • VCF SDDC Manager 5.0.x
  • VCF SDDC Manager 4.x
  • VMware Cloud Director 10.5.x
  • VMware Cloud Director 10.4.x
  • VMware Identity Manager 3.3.x
  • VMware TKrs 1.26.13
  • VMware TKrs 1.27.11 (Photon)

Potentially Impacted (ships with vulnerable versions of OpenSSH, but are 64-bit):

  • ESXi 8.x
  • ESXi 7.x
  • vCenter Server 8.x
  • Aria Operations 8.17.x
  • Aria Operations 8.16.x
  • Aria Operations 8.14.x
  • Aria Operations for Logs 8.18.x
  • Aria Operations for Logs 8.16.x
  • Aria Operations for Logs 8.14.x
  • Aria Automation 8.17.x
  • Aria Automation 8.16.x
  • Aria Automation Orchestrator 8.17.x
  • Aria Automation Orchestrator 8.16.x
  • VCF SDDC Manager 5.2.x
  • VCF SDDC Manager 5.1.x
  • VMware Cloud Director 10.6
  • VMware TKrs 1.29.4 (Photon & Ubuntu)
  • VMware TKrs 1.28.8 (Photon & Ubuntu)
  • VMware TKrs 1.27.11 (Ubuntu)

Impacted (ship vulnerable versions of OpenSSH and are 32-bit)

  • None

Resolution

Workarounds

The VMware Cloud Foundation Division continues to recommend that SSH should remain disabled (disabled by default) in production environments. Please see product-specific documentation for details on how to disable SSH if it has been enabled. Alternative workarounds are not recommended and may have functional impacts on a product if implemented without published instructions. If additional workarounds are tested and approved they will be mentioned in the 'Product Impact' section above.

 

Resolution

Regardless of the exploitability of CVE-2024-6387; VMware Cloud Foundation products will consume versions of OpenSSH that are not potentially vulnerable to CVE-2024-6387 in previously scheduled future releases.

This is an ongoing event, please subscribe to receive updates when this article is updated.

Additional Information

Changelog:

  • 07/01/2024 - Initial Publication
  • 07/02/2024 - Added products to Not Impacted and Potentially Impacted sections
  • 07/03/2024 - Added products to Not Impacted and Potentially Impacted sections
Powered by Wolken Software