Cisco: CVE-2024-6387 OpenSSH Server (regreSSHion)

adamscottmaster2013 · ‎07-10-2024

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssh-rce-2024?emailclick=CNSemail

Identity Services Engine (ISE)

CSCwk61938

3.3 patch (Jul 2024)
3.2 patch (Sep 2024)
3.1 patch (Jan 2025)

None of the patches listed above is available.

According to this article, ISE 3.2 patch-x is vulnerable; however, in the same article, it references a bug ID https://tools.cisco.com/bugsearch/bug/CSCwk61938 and stated that the issue is fixed.

Thoughts?

adamscottmaster2013 · ‎07-10-2024

Looks like Cisco is updating the bugID since I read it yesterday:

Workaround: Cisco is working on a hotpatch for 3.1 and 3.2. Permanent fix is planned for 3.1 patch 10 and 3.2 patch 7 Fix for 3.3 is available in patch 3 - ETA July 16th

Saravana17 · ‎07-11-2024

Hello,
In this bug ID, details needs to be clear like what about 3.1 Patch 5, 6, 7, 8,9 which is vulnerable or not?
Because, we got an alert from our internal SOC team that few of the servers running with 3.1 patch 8 is affected and few are not affected which is very confusing.

I tried to check the openssh version on the Cisco ISE nodes but there is no details how to verify this

Does anyone knows how to verify if the machine is affected or not by this vulnerability?

https://tools.cisco.com/bugsearch/bug/CSCwk61938

Thanks,
Saravana

DCampus · ‎07-17-2024

it is now July 18. and a fix/update has not been released yet

cnorborg · ‎07-22-2024

Unfortunately the "Fix" to ISE3.3, with Patch 3 that is now out, is NOT a fix. The OpenSSH version that fixes the issue is 9.8. Going from Patch2 to Patch3 brought me from OpenSSH v8.8 to OpenSSH v9.1, NOT the 9.8 required to fix it? They say this is a "workaround", but I see nothing in the CVE that mentions 9.1 being an acceptable workaround?

Saravana17 · ‎08-01-2024

Hi @cnorborg ,
Yes, you are right. the hotpatch upgraded Openssh version to 9.1 but not to the remediated version as 9.8 or later. Yesterday I tested with 3.1 hotpatch as well but it's same.
Not sure if any revised hotpatch will be released?

Thanks,
Saravana

SamCruz92287 · ‎08-07-2024

Hi anyone updated their ise to 3.4.0? It says in the release notes that the CSCwk61938 is resolved. See release notes: https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/release_notes/b_ise_34_RN.html

Saravana17 · ‎08-11-2024

Hi All,
It's good to know that now Cisco updated that clearly this vulnerability is fixed on the released hotpatches (Openssh V9.1).
Below is updated on the bug details,
NOTE: Cisco uses a customized library for SSH, the fix for this vulnerability is implemented in CiscoSSH 1.13.48 (based on OpenSSH 9.1)

Thanks,
Saravana

cnorborg · ‎08-12-2024

Below? Did you forget to post a link or something?

ISE-R-US · ‎08-22-2024

I have done this as well. ISE 3.3 patch 3 is NOT reporting as compliant and it is NOT fixing this vulnerability.

Saravana17 · ‎08-25-2024

Hi,
How did you verify that if this is not compliant?

As per cisco below update,

NOTE: Cisco uses a customized library for SSH, the fix for this vulnerability is implemented in CiscoSSH 1.13.48 (based on OpenSSH 9.1)

https://tools.cisco.com/bugsearch/bug/CSCwk61938

Thanks,
Saravana

Saravana17 · ‎08-12-2024

No, It's mentioned on the same Cisco bug ID link,

https://tools.cisco.com/bugsearch/bug/CSCwk61938

Thanks,
Saravana