Summary

• On July 1, 2024, the Qualys Threat Research Unit (TRU) disclosed an unauthenticated, remote code execution vulnerability that affects the OpenSSH server (sshd) in glibc-based Linux systems.

  CVE-2024-6387: A signal handler race condition was found in sshd, where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then the sshd SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog().

  For a description of this vulnerability, see the Qualys Security Advisory.

  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssh-rce-2024

Affected Products

• Cisco has investigated its product line to determine which products and cloud services may be affected by this vulnerability.

  This advisory only lists Cisco products and services that are known to include the impacted software component and thus may be vulnerable. Products and services that do not contain the impacted software component are not vulnerable and therefore are not listed in this advisory. Any Cisco product or service that is not explicitly listed in the Affected Products section of this advisory is not affected by the vulnerability or vulnerabilities described.

  The Vulnerable Products section includes Cisco bug IDs for each affected product or service. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.

  Vulnerable Products

  The following table lists Cisco products that are affected by the vulnerability that is described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. Customers should refer to the associated Cisco bugs for further details.

  Product	Cisco Bug ID	Fixed Release Availability
  Network and Content Security Devices
  Adaptive Security Appliance (ASA) Software	CSCwk62296	9.18.4.34 9.20.3
  Firepower 4100/9300 FXOS Firepower Chassis Manager	CSCwk62297	2.12.1
  Firepower Management Center (FMC) Software	CSCwk62296	7.0.6.3 7.2.8.1 7.4.2
  Firepower Threat Defense (FTD) Software	CSCwk62296	7.0.6.3 7.2.8.1 7.4.2
  Identity Services Engine (ISE)	CSCwk61938	3.3 patch 3.2 patch 3.1 patch
  Secure Access Resource Connector	CSCwk67866	2.0.0-2407032046
  Secure Email and Web Manager	CSCwk63532	15.5.2 MR
  Secure Email Gateway	CSCwk63523	15.5.2 MR 15.0.3 MR (Nov 2024) 16.0 (Oct 2024)
  Secure Network Analytics	CSCwk64073	7.4.2 7.5.0
  Network Management and Provisioning
  Application Policy Infrastructure Controller (APIC)	CSCwk62256	6.0(7e) 6.1(1x) (Release no. TBD, Sep 2024)
  Common Services Platform Collector (CSPC)	CSCwk62250	2.11.0.1
  Crosswork Data Gateway	CSCwk62311	7.0.0
  Cyber Vision	CSCwk62289	4.1.7 4.4.3 5.0.0
  DNA Spaces Connector	CSCwk62273	Connector 3
  Evolved Programmable Network Manager (EPNM)	CSCwk62268	Consult the Cisco bug ID for details
  Nexus Dashboard, formerly Application Services Engine	CSCwk62261	3.2(1e)
  Prime Infrastructure	CSCwk62276	3.10.5
  Smart PHY	CSCwk62284	24.2 (Sep 2024)
  Smart Software Manager On-Prem	CSCwk62288	9-202407
  Virtualized Infrastructure Manager	CSCwk62277	5.0.1
  Routing and Switching - Enterprise and Service Provider
  8000 Series Routers	CSCwk62108	24.3.1 (Sep 2024) 24.2.2 (Oct 2024) 24.2.11 Available from SMU ID AA35431
  ASR 5000 Series Routers	CSCwk63293	Consult the Cisco bug ID for details
  Catalyst ESS9300 Embedded Series Switches	CSCwk67488	17.15
  Catalyst IE3x00 Rugged Series Switches	CSCwk67488	17.15
  Catalyst IE9300 Rugged Series Switches	CSCwk67488	17.15
  Embedded Services 3300 Series Switches	CSCwk67488	17.15
  GGSN Gateway GPRS Support Node	CSCwk63293	Consult the Cisco bug ID for details
  IOS XE Software with NETCONF enabled	CSCwk61216	17.15.1
  IOS XRd Control Plane	CSCwk62108	24.3.1 (Sep 2024) 24.2.2 (Oct 2024) 24.2.11 Available from SMU ID AA35431
  IOS XRd vRouter	CSCwk62108	24.3.1 (Sep 2024) 24.2.2 (Oct 2024) 24.2.11 Available from SMU ID AA35431
  IP Services Gateway (IPSG)	CSCwk63293	Consult the Cisco bug ID for details
  MDS 9000 Series Multilayer Switches	CSCwk62258	9.4(2a)
  MME Mobility Management Entity	CSCwk63293	Consult the Cisco bug ID for details
  Network Convergence System 540 Series Routers running NCS540L images	CSCwk62108	24.3.1 (Sep 2024) 24.2.2 (Oct 2024) 24.2.11 Available from SMU ID AA35431
  Network Convergence System 1010	CSCwk62108	24.3.1 (Sep 2024) 24.2.2 (Oct 2024) 24.2.11 Available from SMU ID AA35431
  Network Convergence System 1014	CSCwk62108	24.3.1 (Sep 2024) 24.2.2 (Oct 2024) 24.2.11 Available from SMU ID AA35431
  Network Convergence System 2000 Series	CSCwm05826	10.82
  Network Convergence System 5700 Fixed Chassis NCS-57B1, NCS-57C1, and NCS-57D2	CSCwk62108	24.3.1 (Sep 2024) 24.2.2 (Oct 2024) 24.2.11 Available from SMU ID AA35431
  Nexus 3000 Series Switches	CSCwk61235	10.2(9) (Jan 2025) 10.3(6) 10.4(4) (Oct 2024) 10.5(1)
  Nexus 9000 Series Fabric Switches in ACI Mode	CSCwk62257	16.1(1f) 16.0(7e)
  Nexus 9000 Series Switches in standalone NX-OS mode	CSCwk61235	10.2(9) (Jan 2025) 10.3(6) 10.4(4) (Oct 2024) 10.5(1)
  ONS 15454 Series Multiservice Provisioning Platforms	CSCwm05826	10.82
  PDSN/HA Packet Data Serving Node and Home Agent	CSCwk63293	Consult the Cisco bug ID for details
  PGW Packet Data Network Gateway	CSCwk63293	Consult the Cisco bug ID for details
  System Architecture Evolution Gateway (SAEGW)	CSCwk63293	Consult the Cisco bug ID for details
  Ultra Cloud Core - Access and Mobility Management Function	CSCwk62243	Consult the Cisco bug ID for details
  Ultra Cloud Core - Session Management Function	CSCwk62246	2024.03.1.12
  Ultra Cloud Core - Subscriber Microservices Infrastructure	CSCwk62247	2024.03.1.12
  Ultra Cloud Core 5G Policy Control Function	CSCwk62244	Consult the Cisco bug ID for details
  Ultra Packet Core	CSCwk63293	Consult the Cisco bug ID for details
  Unified Computing
  Intersight Virtual Appliance	CSCwk63145	1.0.9-677
  UCS 6300 Series Fabric Interconnects	CSCwk79616	4.3(5a) (Oct 2024)
  UCS 6400 Series Fabric Interconnects in Intersight Managed Mode (IMM)	CSCwk78644	4.3(5) (Oct 2024)
  UCS 6400 Series Fabric Interconnects in UCS Manager Mode	CSCwk62264	4.2(3l) (Sep 2024) 4.3(5a) (Oct 2024) 4.3(4c)
  UCS 6500 Series Fabric Interconnects in Intersight Managed Mode (IMM)	CSCwk78644	4.3(5) (Oct 2024)
  UCS 6500 Series Fabric Interconnects in UCS Manager Mode	CSCwk62264	4.2(3l) (Sep 2024) 4.3(5a) (Oct 2024) 4.3(4c)
  UCS B-Series Blade Servers - Serial over LAN (SOL)	CSCwk62723	4.3(4c) 4.3(5a) (Oct 2024)
  UCS C-Series Rack Servers and S-Series Storage Servers - Integrated Management Controller (CIMC)	CSCwk62266	4.3.4.241063 4.3.2.240077
  UCS Director	CSCwk62255	6.9.1.0 (Oct 2024)
  UCS X-Series Compute Nodes - Serial over LAN (SOL)	CSCwk62723	4.3(4c) 4.3(5a) (Oct 2024)
  Voice and Unified Communications Devices
  Desk Phone 9841	CSCwk62323	3.2(1) (Oct 2024)
  Desk Phone 9851	CSCwk62323	3.2(1) (Oct 2024)
  Emergency Responder	CSCwk63694	15.0.1.12900 (Sep 2024) 15SU2 (Sep 2024) ciscocm.V14_CVE-2024-6387_v1.1.zip1 ciscocm.V15_CVE-2024-6387_v1.1.zip1
  Prime Collaboration Deployment	CSCwk64755	15.0.1.12900 (Sep 2024) 15SU2 (Sep 2024) ciscocm.V14_CVE-2024-6387_v1.1.zip1 ciscocm.V15_CVE-2024-6387_v1.1.zip1
  Unified Communications Manager / Unified Communications Manager Session Management Edition	CSCwk62318	15.0.1.12900 (Sep 2024) 15SU2 (Sep 2024) ciscocm.V14_CVE-2024-6387_v1.1.zip1 ciscocm.V15_CVE-2024-6387_v1.1.zip1
  Unified Communications Manager IM and Presence Service	CSCwk63634	15.0.1.12900 (Sep 2024) 15SU2 (Sep 2024) ciscocm.V14_CVE-2024-6387_v1.1.zip1 ciscocm.V15_CVE-2024-6387_v1.1.zip1
  Unity Connection	CSCwk63494	15.0.1.12900 (Sep 2024) 15Su2 (Sep 2024) ciscocm.V14_CVE-2024-6387_v1.1.zip1 ciscocm.V15_CVE-2024-6387_v1.1.zip1
  Video Phone 8875	CSCwk62317	2.3(1) (Nov 2024)
  Webex Video Mesh	CSCwk80951	Consult the Cisco bug ID for details
  Video, Streaming, TelePresence, and Transcoding Devices
  Board Series	CSCwk70371	Cloud - RoomOS 11.18.1.6 On-premise - RoomOS 11.17.3.0 On-premise - RoomOS 11.14.4
  Cisco Meeting Server	CSCwk62286	SMU - CMS 3.9.2 (Sep 2024) SMU - CMS 3.8.2 (Sep 2024)
  Desk Series	CSCwk70371	Cloud - RoomOS 11.18.1.6 On-premise - RoomOS 11.17.3.0 On-premise - RoomOS 11.14.4
  Expressway Series	CSCwk61630	X15.0.3 X15.2.0 (Sep 2024)
  Room Series	CSCwk70371	Cloud - RoomOS 11.18.1.6 On-premise - RoomOS 11.17.3.0 On-premise - RoomOS 11.14.4
  TelePresence Video Communication Server (VCS)	CSCwk61630	X15.0.3 X15.2.0 (Sep 2024)
  Webex Board	CSCwk70371	Cloud - RoomOS 11.18.1.6 On-premise - RoomOS 11.17.3.0 On-premise - RoomOS 11.14.4
  Wireless
  6300 Series Embedded Services Access Points	CSCwk62269	17.15 17.9.6 (Sep 2024) 17.12.4
  Aironet 802.11ac Wave2 Access Points	CSCwk62269	17.15 17.9.6 (Sep 2024) 17.12.4
  Aironet 1540 Series	CSCwk62269	17.15 17.9.6 (Sep 2024) 17.12.4
  Aironet 1560 Series	CSCwk62269	17.15 17.9.6 (Sep 2024) 17.12.4
  Catalyst 9100 Series Access Points	CSCwk62269	17.15 17.9.6 (Sep 2024) 17.12.4
  Catalyst 9800 Series Wireless Controllers	CSCwk61216	17.15.1
  Catalyst IW6300 Heavy Duty Series Access Points	CSCwk62269	17.15 17.9.6 (Sep 2024) 17.12.4
  Catalyst IW9165 Heavy Duty Series	CSCwk62269	17.15 17.9.6 (Sep 2024) 17.12.4
  Catalyst IW9165 Rugged Series	CSCwk62269	17.15 17.9.6 (Sep 2024) 17.12.4
  Catalyst IW9167 Heavy Duty Series	CSCwk62269	17.15 17.9.6 (Sep 2024) 17.12.4
  Connected Mobile Experiences	CSCwk62270	11.0.1-129
  Embedded Wireless Controllers	CSCwk61216	17.15.1
  IEC6400 Edge Compute Appliance	CSCwk62290	1.0.2 1.1.0 (Oct 2024)

  1. COP files can be downloaded and installed without Cisco TAC assistance. These COP files apply only to certain releases.

  2. Releases earlier than Release 10.8 of this product are affected by CVE-2006-5051. CVE-2006-5051 is the original vulnerability that was reintroduced due to a regression and identified as CVE-2024-6387 (regreSSHion). The OpenSSH version present in releases 10.8 and later are not affected by CVE-2006-5051 or CVE-2024-6387. 

   

  Products Confirmed Not Vulnerable

  Cisco investigated its product line to determine which products may be affected by this vulnerability.

  Cisco has confirmed that this vulnerability does not affect the following Cisco products:

  Endpoint Clients and Client Software

  • AnyConnect Secure Mobility Client

  Network Application, Service, and Acceleration

  • Cloud Services Platform 5000 Series
  • CX Cloud Agent
  • Secure Workload

  Network and Content Security Devices

  • Secure Endpoint Private Cloud
  • Secure Web Appliance
  • Umbrella Virtual Appliance

  Network Management and Provisioning

  • Business Process Automation
  • Catalyst Center
  • Catalyst Center Assurance
  • Cisco Telemetry Broker
  • Crosswork Change Automation
  • Crosswork Health Insights
  • Crosswork Zero Touch Provisioning (ZTP)
  • Data Center Network Manager (DCNM)
  • Modeling Labs
  • Network Services Orchestrator (NSO)
  • Policy Suite
  • Prime Cable Provisioning
  • Prime Network Registrar
  • SecureX Orchestration Remote
  • ThousandEyes Enterprise Agent
  • WAN Automation Engine (WAE)

  Routing and Switching - Enterprise and Service Provider

  • ASR 9000 Series Aggregation Services Routers
  • Carrier Routing System (CRS)
  • Catalyst SD-WAN Controller, formerly known as SD-WAN vSmart
  • Catalyst SD-WAN Manager, formerly SD-WAN vManage
  • Catalyst SD-WAN Validator, formerly SD-WAN vBond Orchestrator
  • Industrial Ethernet 1000 Series Switches
  • Industrial Ethernet 2000 Series Switches
  • Industrial Ethernet 3000 Series Switches
  • Industrial Ethernet 4000 Series Switches
  • Industrial Ethernet 5000 Series Switches
  • IOS Software
  • IOS XRv 9000 Series Routers
  • Network Convergence System 540 Series Routers running IOS XR 64-bit (eXR) Software
  • Network Convergence System 560 Series Routers
  • Network Convergence System 1001
  • Network Convergence System 1002
  • Network Convergence System 1004
  • Network Convergence System 5000 Series Routers
  • Network Convergence System 5500 Series Routers
  • Network Convergence System 5700 Series Routers running IOS XR 64-bit (eXR) Software
  • Nexus 1000V Series Switches
  • Nexus 5500 Platform Switches
  • Nexus 5600 Platform Switches
  • Nexus 6000 Series Switches
  • Nexus 7000 Series Switches
  • Optical Network Controller
  • SD-WAN vEdge Cloud Routers
  • SD-WAN vEdge Routers

  Unified Computing

  • Enterprise NFV Infrastructure Software (NFVIS)
  • HyperFlex System
  • Integrated Management Controller (IMC) Supervisor
  • UCS Central Software
  • UCS E-Series Servers

  Voice and Unified Communications Devices

  • Computer Telephony Integration Object Server (CTIOS)
  • Finesse
  • Unified Contact Center Enterprise (Unified CCE)
  • Unified Contact Center Enterprise - Cloud Connect
  • Unified Contact Center Express (Unified CCX)
  • Unified Customer Voice Portal (Unified CVP)
  • Unified Intelligence Center
  • Unified Intelligent Contact Management Enterprise
  • Unified SIP Proxy Software

  Video, Streaming, TelePresence, and Transcoding Devices

  • Webex DX80

  Wireless

  • 800 and 1900 Series ISR Integrated Access Points
  • AireOS Wireless LAN Controllers
  • Aironet 700 Series Access Points
  • Aironet 700W Series Access Points
  • Aironet 802.11ac Wave1 Access Points Industrial Wireless 3700 Series
  • Aironet 1530 Series
  • Aironet 1550 Series
  • Aironet 1570 Series
  • Meraki products
  • Ultra-Reliable Wireless Backhaul

  Cisco Cloud Hosted Services

  • AppDynamics
  • Armorblox
  • Attack Surface Management
  • Business Critical Services
  • Cisco Managed Services Platform
  • Cisco Secure Client
  • Cisco University - Next Gen Learning
  • Cloud Native Application Observability
  • Crosswork Cloud
  • Customer Journey Platform R10
  • Data Science Services
  • DevNet Cloud Services
  • DevNet Sandbox
  • eSIM Flex
  • Intersight SaaS
  • IoT Control Center
  • IoT Operations Dashboard
  • Kenna Platform
  • Managed Services Accelerator (MSXaaS)
  • Matrix Network Intelligence Service
  • Network Plug and Play Connect
  • Observability Platform
  • Panoptica
  • Provider Connectivity Assurance, formerly Skylight Performance Analytics
  • Secure Cloud Analytics
  • Secure Email Cloud
  • Secure Email Encryption Service, formerly Registered Envelope Service
  • Secure Email Threat Defense
  • Secure Endpoint
  • Secure Malware Analytics
  • Secure Workload SaaS
  • Slido
  • Smartlook
  • Smart Software Manager
  • UC Management
  • Ultra-Reliable Wireless Backhaul
  • User Defined Network Cloud
  • Vidcast
  • Webex Calling
  • Webex Contact Center
  • Webex Events
  • Webex - Meetings - Messaging App - Calling
  • Webex Teams
  • XDR

Details

• Cisco Response to This Vulnerability

  Cisco assessed all products and services for impact from CVE-2024-6387. To help detect exploitation of this vulnerability, Cisco has released the following Snort rules:

  • 33654
  • 63659

  Cisco recommends restricting SSH access to only trusted hosts. For the steps to apply infrastructure access control lists (ACLs) to prevent access to SSH services, see the following guides:

  • Cisco Guide to Harden Cisco IOS Devices - Limit Access to the Network with Infrastructure ACLs
  • Cisco Guide to Securing NX-OS Software Devices - Limiting Access to the Network with Infrastructure ACLs
  • Cisco UCS Hardening Guide - Limit Network Access with ACLs on Routers and Firewalls
  • Cisco Firewall Best Practices - Securing the Management Plane
  • Cisco Firepower Threat Defense Hardening Guide

  For additional hardening documentation, see Tactical Resources.

Workarounds

• Any workarounds will be documented in the product-specific Cisco bugs, which are identified in the Vulnerable Products section of this advisory.

Fixed Software

• For information about fixed software releases, consult the Cisco bugs identified in the Vulnerable Products section of this advisory.

  When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements

• The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory. However, customization is required for exploitation. 

  The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.

Source

• This vulnerability was publicly disclosed by the Qualys Threat Research Unit on July 1, 2024.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssh-rce-2024

Revision History

• Version	Description	Section	Status	Date
  1.16	Updated software fix information and lists of products determined to be affected and products determined to be not vulnerable.	Vulnerable Products and Products Confirmed Not Vulnerable	Final	2024-SEP-13
  1.15	Updated software fix information.	Vulnerable Products	Final	2024-SEP-12
  1.14	Updated software fix information.	Vulnerable Products	Interim	2024-SEP-05
  1.13	Updated software fix information.	Vulnerable Products	Interim	2024-AUG-21
  1.12	Updated software fix information and lists of products determined to be affected and products determined to be not vulnerable.	Vulnerable Products and Products Confirmed Not Vulnerable	Interim	2024-AUG-02
  1.11	Updated the lists of products determined to be affected and products determined to be not vulnerable.	Vulnerable Products and Products Confirmed Not Vulnerable	Interim	2024-JUL-26
  1.10	Updated the lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable	Interim	2024-JUL-19
  1.9	Updated the lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable	Interim	2024-JUL-16
  1.8	Updated the lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable	Interim	2024-JUL-12
  1.7	Updated the lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable	Interim	2024-JUL-11
  1.6	Updated the lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable	Interim	2024-JUL-10
  1.5	Updated the lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable	Interim	2024-JUL-09
  1.4	Updated the lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable	Interim	2024-JUL-08
  1.3	Updated the lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable	Interim	2024-JUL-05
  1.2	Updated the lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable	Interim	2024-JUL-04
  1.1	Added lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable. Added Snort rules.	Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable, Details	Interim	2024-JUL-03
  1.0	Initial public release.	—	Interim	2024-JUL-02

  Show Less

---