Cisco has issued a security advisory regarding a critical remote code execution (RCE) vulnerability called “regreSSHion” that affects multiple products.
The vulnerability, tracked as CVE-2024-6387, was disclosed by the Qualys Threat Research Unit on July 1, 2024. It affects the OpenSSH server (sshd) on glibc-based Linux systems and has the potential to allow unauthenticated attackers to gain root access to affected systems.
Details of the vulnerability
The regreSSHion vulnerability is a regression of an older flaw (CVE-2006-5051) that was reintroduced in OpenSSH version 8.5p1, released in October 2020.
Join our free webinar to learn about combat slow DDoS attacksmajor threat today.
The flaw includes a race condition in sshd’s SIGALRM handler that calls functions that are not asynchronous signal safe, such as syslog().
An attacker could exploit this by opening multiple connections and failing to authenticate within the LoginGraceTime period, triggering the vulnerable signal handler asynchronously.
Cisco has identified several products in various categories affected by this vulnerability.
The company is actively researching its product line to determine the full scope of affected devices. The following table lists the affected products and their corresponding Cisco bug IDs:
| product category | Name of the product | Cisco Bug ID | Fixed version availability |
|---|---|---|---|
| Network and content protection devices | Adaptive Security Appliance (ASA) software. | CSCwk61618 | |
| Firepower Management Center (FMC) software. | CSCwk61618 | ||
| Firepower Threat Defense (FTD) software. | CSCwk61618 | ||
| FXOS Firepower Chassis Manager | CSCwk62297 | ||
| Identity Services Engine (ISE) | CSCwk61938 | ||
| Secure network analysis | CSCwk62315 | ||
| Network management and provisioning | Crosswork Data Gateway | CSCwk62311 | 7.0.0 (August 2024) |
| Cyber Vision | CSCwk62289 | ||
| Connector for DNA Spaces | CSCwk62273 | ||
| Basic infrastructure | CSCwk62276 | ||
| Smart Software Manager On-Prem | CSCwk62288 | ||
| Virtualized infrastructure manager | CSCwk62277 | ||
| Routing and Switching – Enterprise and Service Provider | ASR 5000 Series Routers | CSCwk62248 | |
| Nexus 3000 Series Switches | CSCwk61235 | ||
| Nexus 9000 series switches in NX-OS standalone mode | CSCwk61235 | ||
| Unified calculation | Intersight Virtual Device | CSCwk63145 | |
| Voice and Unified Communications Devices | Urgent response | CSCwk63694 | |
| Unified Communications Manager | CSCwk62318 | ||
| Unified Communications Manager IM & presence service | CSCwk63634 | ||
| Unity Connection | CSCwk63494 | ||
| Video, streaming, telepresence and transcoding devices | Cisco Meeting Server | CSCwk62286 | SMU – CMS 3.9.2 (August 2024) |
Mitigation and recommendations
Cisco recommends several steps to reduce exploitation risk:
- Restrict SSH access: Restrict SSH access to trusted hosts only. This can be achieved by implementing infrastructure access control lists (ACLs) to prevent unauthorized access to SSH services.
- Upgrade OpenSSH: Upgrade to the latest patched version of OpenSSH (9.8p1) as soon as it becomes available in the package repositories of Linux distributions.
- Fix LoginGraceTime: Attitude
LoginGraceTimeparameter to 0 in the sshd configuration file to prevent a race condition, although this may result in a denial of service if all connection slots are occupied[1][6][7].
The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for this vulnerability. However, the exploit requires customization and there are no reports of malicious use.
Cisco continues to evaluate all products and services for impact and will update recommendations as new information becomes available.
The regreSSHion vulnerability poses a significant risk to a wide range of Cisco products.
Customers are encouraged to follow Cisco’s recommendations and apply the necessary fixes and mitigations to protect their systems from potential exploitation.
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo
