Cisco has issued a security advisory regarding a critical remote code execution (RCE) vulnerability, dubbed “regreSSHion,” that affects multiple products.
This can be achieved by applying infrastructure access control lists (ACLs) to prevent unauthorized access to SSH services.
This can be achieved by applying infrastructure access control lists (ACLs) to prevent unauthorized access to SSH services.
Cisco continues to assess all products and services for impact and will update the advisory as new information becomes available.
The regreSSHion vulnerability poses a significant risk to a wide range of Cisco products.
Cisco has issued a security advisory regarding a critical remote code execution (RCE) vulnerability, dubbed “regreSSHion,” that affects multiple products.
The vulnerability tracked as CVE-2024-6387, was disclosed by the Qualys Threat Research Unit on July 1, 2024. It impacts the OpenSSH server (sshd) in glibc-based Linux systems and has the potential to allow unauthenticated attackers to gain root access to affected systems.
Vulnerability Details
The regreSSHion vulnerability is a regression of an older flaw (CVE-2006-5051) that was reintroduced in OpenSSH version 8.5p1, released in October 2020.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
The flaw involves a race condition in the sshd’s SIGALRM handler, which calls functions that are not async-signal-safe, such as syslog() .
An attacker can exploit this by opening multiple connections and failing to authenticate within the LoginGraceTime period, triggering the vulnerable signal handler asynchronously.
Cisco has identified several products across various categories affected by this vulnerability.
The company is actively investigating its product line to determine the full scope of impacted devices. The following table lists the affected products and their respective Cisco Bug IDs:
Product Category Product Name Cisco Bug ID Fixed Release Availability Network and Content Security Devices Adaptive Security Appliance (ASA) Software CSCwk61618 Firepower Management Center (FMC) Software CSCwk61618 Firepower Threat Defense (FTD) Software CSCwk61618 FXOS Firepower Chassis Manager CSCwk62297 Identity Services Engine (ISE) CSCwk61938 Secure Network Analytics CSCwk62315 Network Management and Provisioning Crosswork Data Gateway CSCwk62311 7.0.0 (Aug 2024) Cyber Vision CSCwk62289 DNA Spaces Connector CSCwk62273 Prime Infrastructure CSCwk62276 Smart Software Manager On-Prem CSCwk62288 Virtualized Infrastructure Manager CSCwk62277 Routing and Switching – Enterprise and Service Provider ASR 5000 Series Routers CSCwk62248 Nexus 3000 Series Switches CSCwk61235 Nexus 9000 Series Switches in standalone NX-OS mode CSCwk61235 Unified Computing Intersight Virtual Appliance CSCwk63145 Voice and Unified Communications Devices Emergency Responder CSCwk63694 Unified Communications Manager CSCwk62318 Unified Communications Manager IM & Presence Service CSCwk63634 Unity Connection CSCwk63494 Video, Streaming, TelePresence, and Transcoding Devices Cisco Meeting Server CSCwk62286 SMU – CMS 3.9.2 (Aug 2024)
Mitigation and Recommendations
Cisco recommends several steps to mitigate the risk of exploitation:
Restrict SSH Access : Limit SSH access to trusted hosts only. This can be achieved by applying infrastructure access control lists (ACLs) to prevent unauthorized access to SSH services.
: Limit SSH access to trusted hosts only. This can be achieved by applying infrastructure access control lists (ACLs) to prevent unauthorized access to SSH services. Upgrade OpenSSH : Upgrade to the latest patched version of OpenSSH (9.8p1) as soon as it becomes available in the package repositories of Linux distributions.
: Upgrade to the latest patched version of OpenSSH (9.8p1) as soon as it becomes available in the package repositories of Linux distributions. Adjust LoginGraceTime: Set the LoginGraceTime parameter to 0 in the sshd configuration file to prevent the race condition, although this may lead to denial-of-service if all connection slots become occupied[1][6][7].
The Cisco Product Security Incident Response Team (PSIRT) knows that a proof-of-concept exploit code is available for this vulnerability. However, the exploitation requires customization, and there have been no reports of malicious use.
Cisco continues to assess all products and services for impact and will update the advisory as new information becomes available.
The regreSSHion vulnerability poses a significant risk to a wide range of Cisco products.
Customers are urged to follow Cisco’s recommendations and apply the necessary patches and mitigations to protect their systems from potential exploitation.
