Security bulletins

The following describes all security bulletins related to Migrate to Virtual Machines 5.0 by Google.

GCP-2024-040

Published: 2024-07-10

Description Severity Notes

Description	Severity	Notes
The Migrate Connector, the virtual appliance used to connect VMware sources to Migrate to Virtual Machines, is exposed to a security vulnerability on OpenSSH Daemon(SSHD) (CVE-2024-6387). What should I do? Migrate Connector version 2.6.2497 has been released to mitigate this issue, and is being gradually rolled out. To apply it, go to the Migrate to Virtual Machines page on the Google Cloud console. Once an update for your source appliance is available, you will see a banner with the words An update is available for your source. Approve the update to initiate the version update on the Migrate Connector. For more information, see Modify a Migrate Connector configuration. To mitigate the risk immediately, use any of the following options: Sign in to the Migrate Connector and run the following command: sudo sed -i 's/#LoginGraceTime 2m/LoginGraceTime 0/g' /etc/ssh/sshd_config or Edit `/etc/ssh/sshd_config` manually, uncomment the entry for `LoginGraceTime` and set its value to 0. Restart SSHD by running the following command: sudo systemctl restart ssh What vulnerabilities are being addressed? A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that can be used to obtain access to a remote shell, enabling attackers to gain root access. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts.	Critical	CVE-2024-6387

The Migrate Connector, the virtual appliance used to connect VMware sources to Migrate to Virtual Machines, is exposed to a security vulnerability on OpenSSH Daemon(SSHD) (CVE-2024-6387).

What should I do?

Migrate Connector version 2.6.2497 has been released to mitigate this issue, and is being gradually rolled out. To apply it, go to the Migrate to Virtual Machines page on the Google Cloud console. Once an update for your source appliance is available, you will see a banner with the words An update is available for your source. Approve the update to initiate the version update on the Migrate Connector. For more information, see Modify a Migrate Connector configuration.

To mitigate the risk immediately, use any of the following options:

Sign in to the Migrate Connector and run the following command:
```
sudo sed -i 's/#LoginGraceTime 2m/LoginGraceTime 0/g' /etc/ssh/sshd_config
```
or

Edit /etc/ssh/sshd_config manually, uncomment the entry for LoginGraceTime and set its value to 0.
Restart SSHD by running the following command:
```
sudo systemctl restart ssh
```

What vulnerabilities are being addressed?

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that can be used to obtain access to a remote shell, enabling attackers to gain root access. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts.

Critical

CVE-2024-6387