Security Advisory Detail

OpenSSH regreSSHion (CVE-2024-6387)

Advisory ID
WGSA-2024-00012
CVE
CVE-2024-6387
Impact
Critical
Status
Resolved
Product Family
Firebox, Secure Wi-Fi
Published Date
Updated Date
Workaround Available
True
CVSS Score
9.0
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary

Updated August 1 2024: Updated to confirm Fireware OS 12.10.4 Update 1 resolves this issue

Updated July 2 2024: Updated to confirm WatchGuard Dimension is not affected by this vulnerability.

On July 1, Qualys published information about a race condition vulnerability in certain OpenSSH Server implementations when used on glibc-based linux systems. An unauthenticated attacker could exploit this vulnerability to execute arbitrary code with privileged permissions on affected systems.

WatchGuard Firebox appliances use a vulnerable version of OpenSSH for the Management Command Line Interface and our initial assessment is that they affected by this vulnerability.

WatchGuard Wireless Access Points do not use OpenSSH and are not affected by this vulnerability.

WatchGuard Dimension uses a version of OpenSSH that is not affected by this vulnerability.

Affected
Product Affected
WatchGuard Fireware OS Affected*
WatchGuard Wireless Access Points Not Affected
WatchGuard Dimension Not Affected

* Fireware OS 12.5.12 Update 1 uses a version of OpenSSH that is not vulnerable to CVE-2024-6387 and is not affected

Resolution
Product Resolution
WatchGuard Fireware OS Fireware OS 12.10.4 Update 1
Workaround

WatchGuard Firebox administrators should never expose management access, including the management CLI over SSH, to the internet or untrusted networks. See our published guidance on secure remote management options instead. Firebox administrators that do not use the management CLI over SSH can also add an explicit "Deny" firewall rule that blocks inbound TCP/4118 to the Firebox alias, placing it higher in the policy order than the default "WatchGuard" firewall management policy.

WatchGuard Wi-Fi Access Point administrators should limit access to the management CLI by enabling the management VLAN on a dedicated management network.

Advisory Product List
Product Family
Product Branch
Product List
Firebox
XTM 1500 and 2520
XTM1520-RP, XTM1525-RP, XTM2520
Firebox
Firebox T (2nd Gen)
T15, T15-W, T35, T35-W, T35-R, T55, T55-W, T70
Firebox
Firebox T (1st Gen)
T10, T10-W, T10-D, T30, T30-W, T50, T50-W
Firebox
Firebox T (3rd Gen)
T20, T20-W, T40, T40-W, T80
Firebox
Firebox M (2nd Gen)
M270, M370, M470, M570, M670
Firebox
Firebox M (3rd Gen)
M290, M390, M590, M690, M4800, M5800
Firebox
Firebox M (1st Gen)
M200, M300, M400, M440, M500
Firebox
FireboxV
Small, Medium, Large, XLarge
Firebox
FireboxCloud
Small, Medium, Large, XLarge
Firebox
XTMv
Small, Medium, Large, Datacenter
Firebox
Firebox T (4th Gen)
NV5, T25, T45, T85
Secure Wi-Fi
Wi-Fi 6
AP130, AP330, AP430CR, AP432
Secure Wi-Fi
Wi-Fi 4 & 5
AP322, AP420, AP125, AP225W, AP325, AP327X