Cisco Security Advisory
Remote Unauthenticated Code Execution Vulnerability in OpenSSH Server (regreSSHion): July 2024
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
-
On July 1, 2024, the Qualys Threat Research Unit (TRU) disclosed an unauthenticated, remote code execution vulnerability that affects the OpenSSH server (sshd) in glibc-based Linux systems.
CVE-2024-6387: A signal handler race condition was found in sshd, where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then the sshd SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog().
For a description of this vulnerability, see the Qualys Security Advisory.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssh-rce-2024
-
Cisco has investigated its product line to determine which products and cloud services may be affected by this vulnerability.
This advisory only lists Cisco products and services that are known to include the impacted software component and thus may be vulnerable. Products and services that do not contain the impacted software component are not vulnerable and therefore are not listed in this advisory. Any Cisco product or service that is not explicitly listed in the Affected Products section of this advisory is not affected by the vulnerability or vulnerabilities described.
The Vulnerable Products section includes Cisco bug IDs for each affected product or service. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.
Vulnerable Products
The following table lists Cisco products that are affected by the vulnerability that is described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. Customers should refer to the associated Cisco bugs for further details.
Product Cisco Bug ID Fixed Release Availability Network and Content Security Devices Adaptive Security Appliance (ASA) Software CSCwk62296 9.18.4.34
9.20.3Firepower 4100/9300 FXOS Firepower Chassis Manager CSCwk62297 2.12.1 Firepower Management Center (FMC) Software CSCwk62296 7.0.6.3
7.2.8.1
7.4.2Firepower Threat Defense (FTD) Software CSCwk62296 7.0.6.3
7.2.8.1
7.4.2Identity Services Engine (ISE) CSCwk61938 3.3 patch
3.2 patch
3.1 patchSecure Access Resource Connector CSCwk67866 2.0.0-2407032046 Secure Email and Web Manager CSCwk63532 15.5.2 MR Secure Email Gateway CSCwk63523 15.5.2 MR
15.0.3 MR (Nov 2024)
16.0 (Oct 2024)Secure Network Analytics CSCwk64073 7.4.2
7.5.0Network Management and Provisioning Application Policy Infrastructure Controller (APIC) CSCwk62256 6.0(7e)
6.1(1x) (Release no. TBD, Sep 2024)Common Services Platform Collector (CSPC) CSCwk62250 2.11.0.1 Crosswork Data Gateway CSCwk62311 7.0.0 Cyber Vision CSCwk62289 4.1.7
4.4.3
5.0.0DNA Spaces Connector CSCwk62273 Connector 3 Evolved Programmable Network Manager (EPNM) CSCwk62268 Consult the Cisco bug ID for details Nexus Dashboard, formerly Application Services Engine CSCwk62261 3.2(1e) Prime Infrastructure CSCwk62276 3.10.5 Smart PHY CSCwk62284 24.2 (Sep 2024) Smart Software Manager On-Prem CSCwk62288 9-202407 Virtualized Infrastructure Manager CSCwk62277 5.0.1 Routing and Switching - Enterprise and Service Provider 8000 Series Routers CSCwk62108 24.3.1 (Sep 2024)
24.2.2 (Oct 2024)
24.2.11 Available from SMU ID AA35431ASR 5000 Series Routers CSCwk63293 Consult the Cisco bug ID for details Catalyst ESS9300 Embedded Series Switches CSCwk67488 17.15 Catalyst IE3x00 Rugged Series Switches CSCwk67488 17.15 Catalyst IE9300 Rugged Series Switches CSCwk67488 17.15 Embedded Services 3300 Series Switches CSCwk67488 17.15 GGSN Gateway GPRS Support Node CSCwk63293 Consult the Cisco bug ID for details IOS XE Software with NETCONF enabled CSCwk61216 17.15.1 IOS XRd Control Plane CSCwk62108 24.3.1 (Sep 2024)
24.2.2 (Oct 2024)
24.2.11 Available from SMU ID AA35431IOS XRd vRouter CSCwk62108 24.3.1 (Sep 2024)
24.2.2 (Oct 2024)
24.2.11 Available from SMU ID AA35431IP Services Gateway (IPSG) CSCwk63293 Consult the Cisco bug ID for details MDS 9000 Series Multilayer Switches CSCwk62258 9.4(2a) MME Mobility Management Entity CSCwk63293 Consult the Cisco bug ID for details Network Convergence System 540 Series Routers running NCS540L images CSCwk62108 24.3.1 (Sep 2024)
24.2.2 (Oct 2024)
24.2.11 Available from SMU ID AA35431Network Convergence System 1010 CSCwk62108 24.3.1 (Sep 2024)
24.2.2 (Oct 2024)
24.2.11 Available from SMU ID AA35431Network Convergence System 1014 CSCwk62108 24.3.1 (Sep 2024)
24.2.2 (Oct 2024)
24.2.11 Available from SMU ID AA35431Network Convergence System 2000 Series CSCwm05826 10.82 Network Convergence System 5700 Fixed Chassis NCS-57B1, NCS-57C1, and NCS-57D2 CSCwk62108 24.3.1 (Sep 2024)
24.2.2 (Oct 2024)
24.2.11 Available from SMU ID AA35431Nexus 3000 Series Switches CSCwk61235 10.2(9) (Jan 2025)
10.3(6)
10.4(4) (Oct 2024)
10.5(1)Nexus 9000 Series Fabric Switches in ACI Mode CSCwk62257 16.1(1f)
16.0(7e)Nexus 9000 Series Switches in standalone NX-OS mode CSCwk61235 10.2(9) (Jan 2025)
10.3(6)
10.4(4) (Oct 2024)
10.5(1)ONS 15454 Series Multiservice Provisioning Platforms CSCwm05826 10.82 PDSN/HA Packet Data Serving Node and Home Agent CSCwk63293 Consult the Cisco bug ID for details PGW Packet Data Network Gateway CSCwk63293 Consult the Cisco bug ID for details System Architecture Evolution Gateway (SAEGW) CSCwk63293 Consult the Cisco bug ID for details Ultra Cloud Core - Access and Mobility Management Function CSCwk62243 Consult the Cisco bug ID for details Ultra Cloud Core - Session Management Function CSCwk62246 2024.03.1.12 Ultra Cloud Core - Subscriber Microservices Infrastructure CSCwk62247 2024.03.1.12 Ultra Cloud Core 5G Policy Control Function CSCwk62244 Consult the Cisco bug ID for details Ultra Packet Core CSCwk63293 Consult the Cisco bug ID for details Unified Computing Intersight Virtual Appliance CSCwk63145 1.0.9-677 UCS 6300 Series Fabric Interconnects CSCwk79616 4.3(5a) (Oct 2024) UCS 6400 Series Fabric Interconnects in Intersight Managed Mode (IMM) CSCwk78644 4.3(5) (Oct 2024) UCS 6400 Series Fabric Interconnects in UCS Manager Mode CSCwk62264 4.2(3l) (Sep 2024)
4.3(5a) (Oct 2024)
4.3(4c)UCS 6500 Series Fabric Interconnects in Intersight Managed Mode (IMM) CSCwk78644 4.3(5) (Oct 2024) UCS 6500 Series Fabric Interconnects in UCS Manager Mode CSCwk62264 4.2(3l) (Sep 2024)
4.3(5a) (Oct 2024)
4.3(4c)UCS B-Series Blade Servers - Serial over LAN (SOL) CSCwk62723 4.3(4c)
4.3(5a) (Oct 2024)UCS C-Series Rack Servers and S-Series Storage Servers - Integrated Management Controller (CIMC) CSCwk62266 4.3.4.241063
4.3.2.240077UCS Director CSCwk62255 6.9.1.0 (Oct 2024) UCS X-Series Compute Nodes - Serial over LAN (SOL) CSCwk62723 4.3(4c)
4.3(5a) (Oct 2024)Voice and Unified Communications Devices Desk Phone 9841 CSCwk62323 3.2(1) (Oct 2024) Desk Phone 9851 CSCwk62323 3.2(1) (Oct 2024) Emergency Responder CSCwk63694 15.0.1.12900 (Sep 2024)
15SU2 (Sep 2024)
ciscocm.V14_CVE-2024-6387_v1.1.zip1
ciscocm.V15_CVE-2024-6387_v1.1.zip1Prime Collaboration Deployment CSCwk64755 15.0.1.12900 (Sep 2024)
15SU2 (Sep 2024)
ciscocm.V14_CVE-2024-6387_v1.1.zip1
ciscocm.V15_CVE-2024-6387_v1.1.zip1Unified Communications Manager / Unified Communications Manager Session Management Edition CSCwk62318 15.0.1.12900 (Sep 2024)
15SU2 (Sep 2024)
ciscocm.V14_CVE-2024-6387_v1.1.zip1
ciscocm.V15_CVE-2024-6387_v1.1.zip1Unified Communications Manager IM and Presence Service CSCwk63634 15.0.1.12900 (Sep 2024)
15SU2 (Sep 2024)
ciscocm.V14_CVE-2024-6387_v1.1.zip1
ciscocm.V15_CVE-2024-6387_v1.1.zip1Unity Connection CSCwk63494 15.0.1.12900 (Sep 2024)
15Su2 (Sep 2024)
ciscocm.V14_CVE-2024-6387_v1.1.zip1
ciscocm.V15_CVE-2024-6387_v1.1.zip1Video Phone 8875 CSCwk62317 2.3(1) (Nov 2024) Webex Video Mesh CSCwk80951 Consult the Cisco bug ID for details Video, Streaming, TelePresence, and Transcoding Devices Board Series CSCwk70371 Cloud - RoomOS 11.18.1.6
On-premise - RoomOS 11.17.3.0
On-premise - RoomOS 11.14.4Cisco Meeting Server CSCwk62286 SMU - CMS 3.9.2 (Sep 2024)
SMU - CMS 3.8.2 (Sep 2024)Desk Series CSCwk70371 Cloud - RoomOS 11.18.1.6
On-premise - RoomOS 11.17.3.0
On-premise - RoomOS 11.14.4Expressway Series CSCwk61630 X15.0.3
X15.2.0 (Sep 2024)Room Series CSCwk70371 Cloud - RoomOS 11.18.1.6
On-premise - RoomOS 11.17.3.0
On-premise - RoomOS 11.14.4TelePresence Video Communication Server (VCS) CSCwk61630 X15.0.3
X15.2.0 (Sep 2024)Webex Board CSCwk70371 Cloud - RoomOS 11.18.1.6
On-premise - RoomOS 11.17.3.0
On-premise - RoomOS 11.14.4Wireless 6300 Series Embedded Services Access Points CSCwk62269 17.15
17.9.6 (Sep 2024)
17.12.4Aironet 802.11ac Wave2 Access Points CSCwk62269 17.15
17.9.6 (Sep 2024)
17.12.4Aironet 1540 Series CSCwk62269 17.15
17.9.6 (Sep 2024)
17.12.4Aironet 1560 Series CSCwk62269 17.15
17.9.6 (Sep 2024)
17.12.4Catalyst 9100 Series Access Points CSCwk62269 17.15
17.9.6 (Sep 2024)
17.12.4Catalyst 9800 Series Wireless Controllers CSCwk61216 17.15.1 Catalyst IW6300 Heavy Duty Series Access Points CSCwk62269 17.15
17.9.6 (Sep 2024)
17.12.4Catalyst IW9165 Heavy Duty Series CSCwk62269 17.15
17.9.6 (Sep 2024)
17.12.4Catalyst IW9165 Rugged Series CSCwk62269 17.15
17.9.6 (Sep 2024)
17.12.4Catalyst IW9167 Heavy Duty Series CSCwk62269 17.15
17.9.6 (Sep 2024)
17.12.4Connected Mobile Experiences CSCwk62270 11.0.1-129 Embedded Wireless Controllers CSCwk61216 17.15.1 IEC6400 Edge Compute Appliance CSCwk62290 1.0.2
1.1.0 (Oct 2024)1. COP files can be downloaded and installed without Cisco TAC assistance. These COP files apply only to certain releases.2. Releases earlier than Release 10.8 of this product are affected by CVE-2006-5051. CVE-2006-5051 is the original vulnerability that was reintroduced due to a regression and identified as CVE-2024-6387 (regreSSHion). The OpenSSH version present in releases 10.8 and later are not affected by CVE-2006-5051 or CVE-2024-6387.Products Confirmed Not Vulnerable
Cisco investigated its product line to determine which products may be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
Endpoint Clients and Client Software
- AnyConnect Secure Mobility Client
Network Application, Service, and Acceleration
- Cloud Services Platform 5000 Series
- CX Cloud Agent
- Secure Workload
Network and Content Security Devices
- Secure Endpoint Private Cloud
- Secure Web Appliance
- Umbrella Virtual Appliance
Network Management and Provisioning
- Business Process Automation
- Catalyst Center
- Catalyst Center Assurance
- Cisco Telemetry Broker
- Crosswork Change Automation
- Crosswork Health Insights
- Crosswork Zero Touch Provisioning (ZTP)
- Data Center Network Manager (DCNM)
- Modeling Labs
- Network Services Orchestrator (NSO)
- Policy Suite
- Prime Cable Provisioning
- Prime Network Registrar
- SecureX Orchestration Remote
- ThousandEyes Enterprise Agent
- WAN Automation Engine (WAE)
Routing and Switching - Enterprise and Service Provider
- ASR 9000 Series Aggregation Services Routers
- Carrier Routing System (CRS)
- Catalyst SD-WAN Controller, formerly known as SD-WAN vSmart
- Catalyst SD-WAN Manager, formerly SD-WAN vManage
- Catalyst SD-WAN Validator, formerly SD-WAN vBond Orchestrator
- Industrial Ethernet 1000 Series Switches
- Industrial Ethernet 2000 Series Switches
- Industrial Ethernet 3000 Series Switches
- Industrial Ethernet 4000 Series Switches
- Industrial Ethernet 5000 Series Switches
- IOS Software
- IOS XRv 9000 Series Routers
- Network Convergence System 540 Series Routers running IOS XR 64-bit (eXR) Software
- Network Convergence System 560 Series Routers
- Network Convergence System 1001
- Network Convergence System 1002
- Network Convergence System 1004
- Network Convergence System 5000 Series Routers
- Network Convergence System 5500 Series Routers
- Network Convergence System 5700 Series Routers running IOS XR 64-bit (eXR) Software
- Nexus 1000V Series Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches
- Optical Network Controller
- SD-WAN vEdge Cloud Routers
- SD-WAN vEdge Routers
Unified Computing
- Enterprise NFV Infrastructure Software (NFVIS)
- HyperFlex System
- Integrated Management Controller (IMC) Supervisor
- UCS Central Software
- UCS E-Series Servers
Voice and Unified Communications Devices
- Computer Telephony Integration Object Server (CTIOS)
- Finesse
- Unified Contact Center Enterprise (Unified CCE)
- Unified Contact Center Enterprise - Cloud Connect
- Unified Contact Center Express (Unified CCX)
- Unified Customer Voice Portal (Unified CVP)
- Unified Intelligence Center
- Unified Intelligent Contact Management Enterprise
- Unified SIP Proxy Software
Video, Streaming, TelePresence, and Transcoding Devices
- Webex DX80
Wireless
- 800 and 1900 Series ISR Integrated Access Points
- AireOS Wireless LAN Controllers
- Aironet 700 Series Access Points
- Aironet 700W Series Access Points
- Aironet 802.11ac Wave1 Access Points Industrial Wireless 3700 Series
- Aironet 1530 Series
- Aironet 1550 Series
- Aironet 1570 Series
- Meraki products
- Ultra-Reliable Wireless Backhaul
Cisco Cloud Hosted Services
- AppDynamics
- Armorblox
- Attack Surface Management
- Business Critical Services
- Cisco Managed Services Platform
- Cisco Secure Client
- Cisco University - Next Gen Learning
- Cloud Native Application Observability
- Crosswork Cloud
- Customer Journey Platform R10
- Data Science Services
- DevNet Cloud Services
- DevNet Sandbox
- eSIM Flex
- Intersight SaaS
- IoT Control Center
- IoT Operations Dashboard
- Kenna Platform
- Managed Services Accelerator (MSXaaS)
- Matrix Network Intelligence Service
- Network Plug and Play Connect
- Observability Platform
- Panoptica
- Provider Connectivity Assurance, formerly Skylight Performance Analytics
- Secure Cloud Analytics
- Secure Email Cloud
- Secure Email Encryption Service, formerly Registered Envelope Service
- Secure Email Threat Defense
- Secure Endpoint
- Secure Malware Analytics
- Secure Workload SaaS
- Slido
- Smartlook
- Smart Software Manager
- UC Management
- Ultra-Reliable Wireless Backhaul
- User Defined Network Cloud
- Vidcast
- Webex Calling
- Webex Contact Center
- Webex Events
- Webex - Meetings - Messaging App - Calling
- Webex Teams
- XDR
-
Cisco Response to This Vulnerability
Cisco assessed all products and services for impact from CVE-2024-6387. To help detect exploitation of this vulnerability, Cisco has released the following Snort rules:
Cisco recommends restricting SSH access to only trusted hosts. For the steps to apply infrastructure access control lists (ACLs) to prevent access to SSH services, see the following guides:
- Cisco Guide to Harden Cisco IOS Devices - Limit Access to the Network with Infrastructure ACLs
- Cisco Guide to Securing NX-OS Software Devices - Limiting Access to the Network with Infrastructure ACLs
- Cisco UCS Hardening Guide - Limit Network Access with ACLs on Routers and Firewalls
- Cisco Firewall Best Practices - Securing the Management Plane
- Cisco Firepower Threat Defense Hardening Guide
For additional hardening documentation, see Tactical Resources.
-
Any workarounds will be documented in the product-specific Cisco bugs, which are identified in the Vulnerable Products section of this advisory.
-
For information about fixed software releases, consult the Cisco bugs identified in the Vulnerable Products section of this advisory.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
-
The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory. However, customization is required for exploitation.
The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.
-
This vulnerability was publicly disclosed by the Qualys Threat Research Unit on July 1, 2024.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.16 Updated software fix information and lists of products determined to be affected and products determined to be not vulnerable. Vulnerable Products and Products Confirmed Not Vulnerable Final 2024-SEP-13 1.15 Updated software fix information. Vulnerable Products Final 2024-SEP-12 1.14 Updated software fix information. Vulnerable Products Interim 2024-SEP-05 1.13 Updated software fix information. Vulnerable Products Interim 2024-AUG-21 1.12 Updated software fix information and lists of products determined to be affected and products determined to be not vulnerable. Vulnerable Products and Products Confirmed Not Vulnerable Interim 2024-AUG-02 1.11 Updated the lists of products determined to be affected and products determined to be not vulnerable. Vulnerable Products and Products Confirmed Not Vulnerable Interim 2024-JUL-26 1.10 Updated the lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2024-JUL-19 1.9 Updated the lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2024-JUL-16 1.8 Updated the lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2024-JUL-12 1.7 Updated the lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2024-JUL-11 1.6 Updated the lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2024-JUL-10 1.5 Updated the lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2024-JUL-09 1.4 Updated the lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2024-JUL-08 1.3 Updated the lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2024-JUL-05 1.2 Updated the lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2024-JUL-04 1.1 Added lists of products currently under investigation, products determined to be affected, and products determined to be not vulnerable. Added Snort rules. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable, Details Interim 2024-JUL-03 1.0 Initial public release. - Interim 2024-JUL-02
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.