OpenSSH regreSSHion Attack (CVE-2024-6387)
Summary
CVE-2024-6387
A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This could lead to remote code execution with root privileges.
Version | Affected | Solution |
---|---|---|
FortiADC 7.4 | 7.4.0 through 7.4.4 | Upgrade to 7.4.5 or above |
FortiADC 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
FortiAIOps 2.1 | Not affected | Not Applicable |
FortiAIOps 2.0 | 2.0.0 through 2.0.1 | Upgrade to 2.0.2 or above |
FortiAnalyzer 7.6 | Not affected | Not Applicable |
FortiAnalyzer 7.4 | 7.4.0 through 7.4.3 | Upgrade to 7.4.4 or above |
FortiAnalyzer 7.2 | 7.2.0 through 7.2.5 | Upgrade to 7.2.6 or above |
FortiAnalyzer 7.0 | 7.0.0 through 7.0.12 | Upgrade to 7.0.13 or above |
FortiAnalyzer 6.4 | 6.4.0 through 6.4.14 | Upgrade to 6.4.15 or above |
FortiAuthenticator 6.6 | 6.6.0 through 6.6.1 | Upgrade to 6.6.2 or above |
FortiDDoS 5.7 | 5.7.0 through 5.7.3 | Upgrade to 5.7.4 or above |
FortiDDoS-F 7.0 | 7.0.0 through 7.0.1 | Upgrade to 7.0.2 or above |
FortiExtender 7.6 | Not affected | Not Applicable |
FortiExtender 7.4 | 7.4.0 through 7.4.5 | Upgrade to 7.4.6 or above |
FortiExtender 7.2 | 7.2.0 through 7.2.5 | Upgrade to 7.2.6 or above |
FortiExtender 7.0 | 7.0.0 through 7.0.5 | Upgrade to 7.0.6 or above |
FortiMail 7.6 | Not affected | Not Applicable |
FortiMail 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
FortiMail 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
FortiMail 7.0 | 7.0.0 through 7.0.7 | Upgrade to 7.0.8 or above |
FortiMail 6.4 | 6.4.0 through 6.4.8 | Upgrade to 6.4.9 or above |
FortiManager 7.6 | Not affected | Not Applicable |
FortiManager 7.4 | 7.4.0 through 7.4.3 | Upgrade to 7.4.4 or above |
FortiManager 7.2 | 7.2.0 through 7.2.5 | Upgrade to 7.2.6 or above |
FortiManager 7.0 | 7.0.0 through 7.0.12 | Upgrade to 7.0.13 or above |
FortiManager 6.4 | 6.4.0 through 6.4.14 | Upgrade to 6.4.15 or above |
FortiManager Cloud 7.4 | Not affected | Not Applicable |
FortiManager Cloud 7.2 | 7.2.3 through 7.2.4 | Upgrade to 7.2.7 or above |
FortiManager Cloud 7.2 | 7.2.1 | Upgrade to 7.2.7 or above |
FortiManager Cloud 7.0 | 7.0.12 | Upgrade to 7.0.13 or above |
FortiManager Cloud 7.0 | 7.0.10 | Upgrade to 7.0.13 or above |
FortiManager Cloud 7.0 | 7.0.6 through 7.0.7 | Upgrade to 7.0.13 or above |
FortiNAC-F 7.6 | Not affected | Not Applicable |
FortiNAC-F 7.4 | 7.4.0 | Upgrade to 7.4.1 or above |
FortiNAC-F 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
FortiNAC 9.4 | Not affected | Not Applicable |
FortiNAC 9.2 | Not affected | Not Applicable |
FortiNAC 9.1 | Not affected | Not Applicable |
FortiNAC 8.8 | Not affected | Not Applicable |
FortiRecorder 7.2 | 7.2.0 through 7.2.1 | Upgrade to 7.2.2 or above |
FortiRecorder 7.0 | 7.0.0 through 7.0.4 | Upgrade to 7.0.5 or above |
FortiRecorder 6.4 | 6.4.0 through 6.4.5 | Upgrade to 6.4.6 or above |
FortiRecorder 6.0 | 6.0.0 through 6.0.12 | Upgrade to 6.0.13 or above |
FortiSandbox 4.4 | 4.4.0 through 4.4.6 | Upgrade to 4.4.7 or above |
FortiSandbox 4.2 | 4.2.0 through 4.2.7 | Upgrade to 4.2.8 or above |
FortiSandbox 4.0 | 4.0.0 through 4.0.5 | Upgrade to 4.0.6 or above |
FortiSandbox 3.2 | 3.2.0 through 3.2.4 | Upgrade to 3.2.5 or above |
FortiVoice 7.2 | Not affected | Not Applicable |
FortiVoice 7.0 | 7.0.0 through 7.0.2 | Upgrade to 7.0.3 or above |
FortiVoice 6.4 | 6.4.0 through 6.4.9 | Upgrade to 6.4.10 or above |
FortiWeb 7.6 | 7.6.0 | Upgrade to 7.6.1 or above |
FortiWeb 7.4 | 7.4.0 through 7.4.4 | Upgrade to 7.4.5 or above |
FortiWeb 7.2 | 7.2.0 through 7.2.9 | Upgrade to 7.2.10 or above |
Fortinet has remediated this issue in FortiDevSec version 24.3; and the customers do not need to perform any action.
Vulnerable OpenSSH versions:
- OpenSSH < 4.4p1 if not backport-patched against CVE-2006-5051, or not patched against CVE-2008-4109, which was an incorrect fix for CVE-2006-5051;
- 8.5p1 <= OpenSSH < 9.8p1
OpenSSH versions confirmed not vulnerable:
- 4.4p1 <= OpenSSH < 8.5p1
Please note:
- Products based on OpenBSD are not impacted.
- Products not based on glibc-linux are not impacted.
- Products using 64bits architecture with ASLR enabled are still not exploitable so far.
Products Under Investigation:
- FortiTester
- FortiGuest
- FortiNDR
- FortiSwitch
- FortiAnalyzer Big-Data
- FortiWLC
Products NOT Impacted:
- FortiOS
- FortiProxy
- FortiSASE
- FortiClient EMS
- FortiADCManager
- FortiDAST
- FortiSwitchManager
- FortiAP-U
- FortiEDR
- FortiCASB/FortiCNP
- FortiPAM
- FortiAP
- FortiAP-S
- FortiAP-W2
- FortiPortal
- FortiWLM
- FortiMonitor
- FortiSIEM
- FortiRecon
- FortiPhish
- FortiOnPrem
Workarounds:
- Disabling SSH.
Mitigations:
- Restricting SSH access to trusted networks/IP addresses.
Timeline
2024-07-09: Initial publication
2024-07-10: Products information updated
2024-07-11: Products information updated
2024-07-16: Products information updated
2024-07-17: Products information updated
2024-07-18: Products information updated
2024-07-19: Products information updated
2024-07-23: Products information updated
2024-07-26: Products information updated
2024-07-30: Products information updated
2024-07-31: Products information updated
2024-08-06: Products information updated
2024-09-06: Products information updated
2024-09-11: Products information updated
2024-10-16: Products information updated
2024-11-15: Products information updated
2024-11-18: Updated FortiNAC not impacted versions
2024-11-20: Products information updated
2024-11-22: Products information updated