CVE-2024-6387: Remote Unauthorized Code Execution Vulnerability in openSSH server (regreSSHion)
24691
13 February 2025
15 July 2024
CLOSED
LOW
7.3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/CH/I:H/A:H
CVE-2024-6387
|
Brocade Security Advisory ID |
BSA-2024-2614 |
|
Component |
openSSH |
|
|
|
Summary
OpenSSH contains a remote code execution (RCE) vulnerability, exploitable by an unauthenticated attacker through a race condition. Successful exploitation can allow for the remote execution of arbitrary code.
Note: This flaw has been demonstrated to be exploitable remotely on glibc-based Linux systems. Other libc or operating systems were not examined, however, the vendor has indicated in the 9.8 release notes that "exploitation on non-glibc systems is conceivable".
Products Affected
No Brocade Fibre Channel products from Broadcom are known affected by these vulnerabilities
Products Confirmed Not Affected
No versions of Brocade SANnav are affected:
- When Disaster Recovery (DR) function is configured:
[VEX Justification: Inline_mitigations_already_exist] - When DR function is not configured:
[VEX Justification: Vulnerable_code_not_in_execute_path]
No versions of Brocade Fabric OS or ASCG are affected:
[VEX Justification: Vulnerable_code_not_present]
Solution
While not exploitable, security update provided in SANnav 2.4.0
Revision History
|
Version |
Change |
Date |
|
1.0 |
Initial Publication |
7/15/2024 |
|
1.1 |
Added solution text for SANnav 2.4.0 |
2/13/2025 |
Disclaimer
THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.