"regreSSHion" OpenSSH vulnerability in PRC7000

Advisory Information

• Advisory ID: BOSCH-SA-258444
• CVE Numbers and CVSS v3.1 Scores:
  • CVE-2024-6387
    • Base Score: 8.1 (High)
• Published: 19 Jul 2024
• Last Updated: 19 Jul 2024

Summary

The Qualys Threat Research Unit (TRU) has discovered a Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems. The vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems; that presents a significant security risk. This race condition affects sshd in its default configuration. (excerpt from https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server )

Affected Products

• Bosch Rexroth AG PRC7000
  • CVE-2024-6387
    • Version(s): 1.11.12.0 <= 1.11.12.4
    • Version(s): 1.11.13.0 <= 1.11.13.1

Solution and Mitigations

Solution

Update the PRC7000 firmware to version 1.11.12.5 (or newer) or 1.11.13.2 (or newer). Please contact your key account manager for the availability of your firmware variant.

Mitigation

The issue can be mitigated via strict firewall rules to prevent arbitrary third parties from connecting to the PRC7000 SSH/SFTP port 22. Please note that the SFTP connection is mandatory for the PRI7000 software to be able to work with the PRC7000 control.

Vulnerability Details

CVE-2024-6387

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

• Problem Type:
  • CWE-364: Signal Handler Race Condition
• CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Base Score: 8.1 (High)

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates, regardless of your settings. In these cases, we will provide you with the relevant information, e.g., in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system. The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

• [1] Bosch Rexroth Advisory: https://www.boschrexroth.com/en/dc/product-security/security-advisories/
• [2] Qualys Threat Research Unit (TRU): https://www.qualys.com/tru/

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

• 19 Jul 2024: Initial Publication