Cisco Confirms Critical OpenSSH regreSSHion (CVE-2024-6387) Flaw in Multiple Products

Cisco has issued a critical security advisory, warning users of a high-severity vulnerability (CVE-2024-6387) codenamed “regreSSHion” that affects the OpenSSH server component in various Cisco products and cloud services. This vulnerability could allow unauthorized remote attackers to execute arbitrary code on affected systems, potentially leading to a complete system compromise.

Technical Details and Impact

The regreSSHion vulnerability impacts OpenSSH versions between 8.5p1 and 9.7p1, as well as versions before 4.4p1 that haven’t been patched for previous related vulnerabilities. The flaw stems from a race condition bug in the OpenSSH server, which listens for connections from client applications. While OpenBSD systems are unaffected due to a built-in security mechanism, a wide range of Cisco products are susceptible to exploitation.

Affected Cisco Products

Cisco’s investigation has identified numerous affected products across various categories, including:

• Network and Content Security Devices: Adaptive Security Appliance (ASA) Software, Firepower Management Center (FMC) Software, Firepower Threat Defense (FTD) Software, FXOS Firepower Chassis Manager, Identity Services Engine (ISE), Secure Network Analytics.
• Network Management and Provisioning: DNA Spaces Connector, Crosswork Data Gateway, Cyber Vision, Prime Infrastructure.
• Routing and Switching: ASR 5000 Series Routers, Nexus 3000 and 9000 Series Switches, GGSN Gateway, and various other networking devices.
• Unified Computing: Intersight Virtual Appliance, Virtualized Infrastructure Manager.
• Voice and Unified Communications: Emergency Responder, Unified Communications Manager, Unity Connection.
• Video and Collaboration: Cisco Meeting Server, Expressway Series, TelePresence Video Communication Server (VCS).
• Wireless: Various access points and wireless controllers.

Proof-of-Concept Code and Malicious Activity

While proof-of-concept exploit code exists for this vulnerability, Cisco PSIRT has not yet observed any malicious use in the wild. However, the availability of the exploit code increases the urgency for users to patch their systems promptly.

Mitigation and Remediation

Cisco strongly recommends that users immediately apply the available patches for their affected products to mitigate the risk of exploitation. The company has provided fixed release availability dates for most products, while others are still under evaluation.