Cisco has released a security advisory about a critical remote code execution (RCE) vulnerability, dubbed “regreSSHion,” that affects multiple products.
The vulnerability, tracked as CVE-2024-6387, was disclosed by the Qualys Threat Research Unit on July 1, 2024. This vulnerability affects the OpenSSH (sshd) server on glibc-based Linux systems and could allow unauthenticated attackers to gain root access on affected systems.
Vulnerability details
The regreSSHion vulnerability is a regression of an older bug (CVE-2006-5051) that was reintroduced in OpenSSH version 8.5p1, released in October 2020.
Join our free webinar to learn more about Combating slow DDoS attacksa major threat today.
The flaw involves a race condition in the sshd’s SIGALRM handler, which calls functions that are not async signal-safe, such as syslog().
An attacker could exploit this by opening multiple connections and not authenticating within the LoginGraceTime period, causing the vulnerable signal handler to be activated asynchronously.
Cisco has determined that multiple products across multiple categories are affected by this vulnerability.
The company is actively investigating its product line to determine the full scope of affected devices. The following table lists the affected products and their respective Cisco Bug IDs:
| product category | product name | Cisco Bug ID | Availability of fixed release |
|---|---|---|---|
| Network and content security devices | Adaptive Security Devices (ASA) Software | CSCwk61618 | |
| Firepower Management Center (FMC) software | CSCwk61618 | ||
| Firepower Threat Defense (FTD) software | CSCwk61618 | ||
| FXOS Firepower Chassis Manager | CSCwk62297 | ||
| Identity Services Engine (ISE) | CSCwk61938 | ||
| Secure Network Analysis | CSCwk62315 | ||
| Network management and provisioning | Crosswork Data Gateway | CSCwk62311 | 7.0.0 (August 2024) |
| Cybervision | CSCwk62289 | ||
| DNA space connector | CSCwk62273 | ||
| Prime infrastructure | CSCwk62276 | ||
| Smart on-site software manager | CSCwk62288 | ||
| Virtualized Infrastructure Manager | CSCwk62277 | ||
| Routing and Switching – Enterprise and Service Provider | ASR 5000 Series Routers | CSCwk62248 | |
| Nexus 3000 Series Switches | CSCwk61235 | ||
| Nexus 9000 Series Switches in Standalone NX-OS Mode | CSCwk61235 | ||
| Unified Computing | Intersight Virtual Appliance | CSCwk63145 | |
| Voice and Unified Communications Devices | Emergency responder | CSCwk63694 | |
| Unified Communications Manager | CSCwk62318 | ||
| Unified Communications Manager IM & Presence Service | CSCwk63634 | ||
| Unit connection | CSCwk63494 | ||
| Video, streaming, telepresence and transcoding devices | Cisco Meeting Server | CSCwk62286 | SMU – CMS 3.9.2 (August 2024) |
Mitigation and recommendations
Cisco recommends several steps to reduce the risk of exploitation:
- Restrict SSH access: Restrict SSH access to only trusted hosts. This can be accomplished by applying infrastructure access control lists (ACLs) to prevent unauthorized access to SSH services.
- Upgrading OpenSSH: Upgrade to the latest patched version of OpenSSH (9.8p1) once it is available in the package repositories of Linux distributions.
- Customize LoginGraceTime: Set the
LoginGraceTimeparameter to 0 in the sshd configuration file to avoid the race condition, although this may lead to denial-of-service if all connection slots become occupied[1][6][7].
The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code exists for this vulnerability. However, exploitation requires customization and there have been no reports of malicious use.
Cisco continues to evaluate all products and services for impact and will update this advisory as new information becomes available.
The regreSSHion vulnerability poses a significant risk to a wide range of Cisco products.
Customers are urged to follow Cisco’s recommendations and apply the necessary patches and mitigations to protect their systems from potential exploits.
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo