OpenSSH regreSSHion Attack (CVE-2024-6387)

Summary

CVE-2024-6387


A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This could lead to remote code execution with root privileges.

Version Affected Solution
FortiADC 7.4 7.4.0 through 7.4.4 Upgrade to 7.4.5 or above
FortiADC 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
FortiAIOps 2.1 Not affected Not Applicable
FortiAIOps 2.0 2.0.0 through 2.0.1 Upgrade to 2.0.2 or above
FortiAnalyzer 7.6 Not affected Not Applicable
FortiAnalyzer 7.4 7.4.0 through 7.4.3 Upgrade to 7.4.4 or above
FortiAnalyzer 7.2 7.2.0 through 7.2.5 Upgrade to 7.2.6 or above
FortiAnalyzer 7.0 7.0.0 through 7.0.12 Upgrade to 7.0.13 or above
FortiAnalyzer 6.4 6.4.0 through 6.4.14 Upgrade to 6.4.15 or above
FortiAuthenticator 6.6 6.6.0 through 6.6.1 Upgrade to 6.6.2 or above
FortiDDoS 5.7 5.7.0 through 5.7.3 Upgrade to 5.7.4 or above
FortiDDoS-F 7.0 7.0.0 through 7.0.1 Upgrade to 7.0.2 or above
FortiExtender 7.6 Not affected Not Applicable
FortiExtender 7.4 7.4.0 through 7.4.5 Upgrade to 7.4.6 or above
FortiExtender 7.2 7.2.0 through 7.2.5 Upgrade to 7.2.6 or above
FortiExtender 7.0 7.0.0 through 7.0.5 Upgrade to 7.0.6 or above
FortiMail 7.6 Not affected Not Applicable
FortiMail 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
FortiMail 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
FortiMail 7.0 7.0.0 through 7.0.7 Upgrade to 7.0.8 or above
FortiMail 6.4 6.4.0 through 6.4.8 Upgrade to 6.4.9 or above
FortiManager 7.6 Not affected Not Applicable
FortiManager 7.4 7.4.0 through 7.4.3 Upgrade to 7.4.4 or above
FortiManager 7.2 7.2.0 through 7.2.5 Upgrade to 7.2.6 or above
FortiManager 7.0 7.0.0 through 7.0.12 Upgrade to 7.0.13 or above
FortiManager 6.4 6.4.0 through 6.4.14 Upgrade to 6.4.15 or above
FortiManager Cloud 7.4 Not affected Not Applicable
FortiManager Cloud 7.2 7.2.3 through 7.2.4 Upgrade to 7.2.7 or above
FortiManager Cloud 7.2 7.2.1 Upgrade to 7.2.7 or above
FortiManager Cloud 7.0 7.0.12 Upgrade to 7.0.13 or above
FortiManager Cloud 7.0 7.0.10 Upgrade to 7.0.13 or above
FortiManager Cloud 7.0 7.0.6 through 7.0.7 Upgrade to 7.0.13 or above
FortiNAC-F 7.6 Not affected Not Applicable
FortiNAC-F 7.4 7.4.0 Upgrade to 7.4.1 or above
FortiNAC-F 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
FortiNAC 9.4 Not affected Not Applicable
FortiNAC 9.2 Not affected Not Applicable
FortiNAC 9.1 Not affected Not Applicable
FortiNAC 8.8 Not affected Not Applicable
FortiRecorder 7.2 7.2.0 through 7.2.1 Upgrade to 7.2.2 or above
FortiRecorder 7.0 7.0.0 through 7.0.4 Upgrade to 7.0.5 or above
FortiRecorder 6.4 6.4.0 through 6.4.5 Upgrade to 6.4.6 or above
FortiRecorder 6.0 6.0.0 through 6.0.12 Upgrade to 6.0.13 or above
FortiSandbox 4.4 4.4.0 through 4.4.6 Upgrade to 4.4.7 or above
FortiSandbox 4.2 4.2.0 through 4.2.7 Upgrade to 4.2.8 or above
FortiSandbox 4.0 4.0.0 through 4.0.5 Upgrade to 4.0.6 or above
FortiSandbox 3.2 3.2.0 through 3.2.4 Upgrade to 3.2.5 or above
FortiVoice 7.2 Not affected Not Applicable
FortiVoice 7.0 7.0.0 through 7.0.2 Upgrade to 7.0.3 or above
FortiVoice 6.4 6.4.0 through 6.4.9 Upgrade to 6.4.10 or above
FortiWeb 7.6 7.6.0 Upgrade to 7.6.1 or above
FortiWeb 7.4 7.4.0 through 7.4.4 Upgrade to 7.4.5 or above
FortiWeb 7.2 7.2.0 through 7.2.9 Upgrade to 7.2.10 or above

Fortinet has remediated this issue in FortiDevSec version 24.3; and the customers do not need to perform any action.


Vulnerable OpenSSH versions:
- OpenSSH < 4.4p1 if not backport-patched against CVE-2006-5051, or not patched against CVE-2008-4109, which was an incorrect fix for CVE-2006-5051;
- 8.5p1 <= OpenSSH < 9.8p1


OpenSSH versions confirmed not vulnerable:
- 4.4p1 <= OpenSSH < 8.5p1


Please note:
- Products based on OpenBSD are not impacted.
- Products not based on glibc-linux are not impacted.
- Products using 64bits architecture with ASLR enabled are still not exploitable so far.


Products Under Investigation:
- FortiTester
- FortiGuest
- FortiNDR
- FortiSwitch
- FortiAnalyzer Big-Data
- FortiWLC


Products NOT Impacted:
- FortiOS
- FortiProxy
- FortiSASE
- FortiClient EMS
- FortiADCManager
- FortiDAST
- FortiSwitchManager
- FortiAP-U
- FortiEDR
- FortiCASB/FortiCNP
- FortiPAM
- FortiAP
- FortiAP-S
- FortiAP-W2
- FortiPortal
- FortiWLM
- FortiMonitor
- FortiSIEM
- FortiRecon
- FortiPhish
- FortiOnPrem


Workarounds:
- Disabling SSH.


Mitigations:
- Restricting SSH access to trusted networks/IP addresses.

Timeline

2024-07-09: Initial publication
2024-07-10: Products information updated
2024-07-11: Products information updated
2024-07-16: Products information updated
2024-07-17: Products information updated
2024-07-18: Products information updated
2024-07-19: Products information updated
2024-07-23: Products information updated
2024-07-26: Products information updated
2024-07-30: Products information updated
2024-07-31: Products information updated
2024-08-06: Products information updated
2024-09-06: Products information updated
2024-09-11: Products information updated
2024-10-16: Products information updated
2024-11-15: Products information updated
2024-11-18: Updated FortiNAC not impacted versions
2024-11-20: Products information updated
2024-11-22: Products information updated