Critical Security Alert: regreSSHion RCE Vulnerability Affects Multiple Cisco Products

As students preparing for competitive exams, it is essential to stay updated on the latest security threats and vulnerabilities that can impact your systems and devices. In this regard, Cisco has issued a critical security advisory regarding a remote code execution (RCE) vulnerability, dubbed “regreSSHion,” which affects multiple products.

Vulnerability Details

The regreSSHion vulnerability, tracked as CVE-2024-6387, was disclosed by the Qualys Threat Research Unit on July 1, 2024. It affects the OpenSSH server (sshd) in glibc-based Linux systems, allowing unauthenticated attackers to gain root access to affected systems. This vulnerability is a regression of an older flaw (CVE-2006-5051) that was reintroduced in OpenSSH version 8.5p1, released in October 2020.

The flaw involves a race condition in the sshd’s SIGALRM handler, which calls functions that are not async-signal-safe, such as syslog(). An attacker can exploit this by opening multiple connections and failing to authenticate within the LoginGraceTime period, triggering the vulnerable signal handler asynchronously.

Affected Products

Cisco has identified several products across various categories affected by this vulnerability. The company is actively investigating its product line to determine the full scope of impacted devices. The following table lists the affected products and their respective Cisco Bug IDs:

Mitigation and Recommendations

To mitigate the risk of exploitation, Cisco recommends the following steps:

1. Restrict SSH Access: Limit SSH access to trusted hosts only by applying infrastructure access control lists (ACLs) to prevent unauthorized access to SSH services.
2. Upgrade OpenSSH: Upgrade to the latest patched version of OpenSSH (9.8p1) as soon as it becomes available in the package repositories of Linux distributions.
3. Adjust LoginGraceTime: Set the LoginGraceTime parameter to 0 in the sshd configuration file to prevent the race condition, although this may lead to denial-of-service if all connection slots become occupied.

Important Notice

The Cisco Product Security Incident Response Team (PSIRT) knows that a proof-of-concept exploit code is available for this vulnerability. However, the exploitation requires customization, and there have been no reports of malicious use. Cisco continues to assess all products and services for impact and will update the advisory as new information becomes available.

Action Required

Customers are urged to follow Cisco’s recommendations and apply the necessary patches and mitigations to protect their systems from potential exploitation. It is crucial to stay vigilant and take proactive measures to ensure the security of your devices and systems.

Historical Context:

The regreSSHion vulnerability, tracked as CVE-2024-6387, is a critical remote code execution (RCE) vulnerability that affects multiple Cisco products. This vulnerability is a regression of an older flaw (CVE-2006-5051) that was reintroduced in OpenSSH version 8.5p1, released in October 2020. The flaw involves a race condition in the sshd’s SIGALRM handler, which calls functions that are not async-signal-safe, such as syslog(). An attacker can exploit this by opening multiple connections and failing to authenticate within the LoginGraceTime period, triggering the vulnerable signal handler asynchronously.

Summary in Bullet Points:

• The regreSSHion vulnerability, tracked as CVE-2024-6387, is a critical remote code execution (RCE) vulnerability that affects multiple Cisco products.
• The vulnerability is a regression of an older flaw (CVE-2006-5051) that was reintroduced in OpenSSH version 8.5p1, released in October 2020.
• The flaw involves a race condition in the sshd’s SIGALRM handler, which calls functions that are not async-signal-safe, such as syslog().
• An attacker can exploit this by opening multiple connections and failing to authenticate within the LoginGraceTime period, triggering the vulnerable signal handler asynchronously.
• Affected products include:
  • Network and Content Security: Adaptive Security Appliance (ASA) Software, Firepower Management Center (FMC) Software, Firepower Threat Defense (FTD) Software, FXOS Firepower Chassis Manager, and more.
  • Routing and Switching – Enterprise and Service Provider: ASR 5000 Series Routers, Nexus 3000 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode, and more.
  • Unified Computing: Intersight Virtual Appliance
  • Voice and Unified Communications: Emergency Responder, Unified Communications Manager, Unified Communications Manager IM & Presence Service, Unity Connection, and more.
  • Video, Streaming, TelePresence, and Transcoding: Cisco Meeting Server
• Mitigation and recommendations:
  • Restrict SSH access to trusted hosts only by applying infrastructure access control lists (ACLs) to prevent unauthorized access to SSH services.
  • Upgrade to the latest patched version of OpenSSH (9.8p1) as soon as it becomes available in the package repositories of Linux distributions.
  • Adjust the LoginGraceTime parameter to 0 in the sshd configuration file to prevent the race condition, although this may lead to denial-of-service if all connection slots become occupied.
• Important notice: A proof-of-concept exploit code is available for this vulnerability, but exploitation requires customization, and there have been no reports of malicious use.
• Action required: Customers are urged to follow Cisco’s recommendations and apply the necessary patches and mitigations to protect their systems from potential exploitation.