Does Palo Alto Networks firewall provide information and coverage on the regreSSHion OpenSSH’s server (sshd) vulnerability (CVE-2024-6387)?
5188
Created On 07/09/24 13:39 PM - Last Modified 11/19/24 18:38 PM
Question
Does Palo Alto Networks firewall provide information and coverage on the regreSSHion OpenSSH’s server (sshd) vulnerability (CVE-2024-6387)?
Environment
- Palo Alto Networks NGFW
- CVE-2024-6387
Answer
- Palo Alto Networks has updated the signature for Unique Threat ID: 40015 (SSH User Authentication Brute Force Attempt ) to provide coverage for CVE-2024-6387:
Additional Information
- CVE-2024-6387
- https://www.qualys.com/regresshion-cve-2024-6387/
- Unauthenticated remote code execution in OpenSSH’s server (sshd) that grants full root access.
- https://www.qualys.com/regresshion-cve-2024-6387/
- Affected versions:
- OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
- Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.
- The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.
- Potential POC: https://github.com/zgzhang/cve-2024-6387-poc
- Security Advisory link of impact on PAN-OS which there are no PAN-OS versions impacted by CVE-2024-6387: https://security.paloaltonetworks.com/CVE-2024-6387
- Unit 42 Threat Briefing link: https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/