Security bulletins

The following describes all security bulletins related to Migrate to Virtual Machines 5.0 by Google.

To get the latest security bulletins delivered to you, do one of the following:

  • Add the URL of this page to your feed reader.
  • Add the feed URL directly to your feed reader: https://cloud.google.com/migrate-to-virtual-machines-security-bulletins.xml

GCP-2024-040

Published: 2024-07-10
Description Severity Notes

The Migrate Connector, the virtual appliance used to connect VMware sources to Migrate to Virtual Machines, is exposed to a security vulnerability on OpenSSH Daemon(SSHD) (CVE-2024-6387).

What should I do?

Migrate Connector version 2.6.2497 has been released to mitigate this issue, and is being gradually rolled out. To apply it, go to the Migrate to Virtual Machines page on the Google Cloud console. Once an update for your source appliance is available, you will see a banner with the words An update is available for your source. Approve the update to initiate the version update on the Migrate Connector. For more information, see Modify a Migrate Connector configuration.

To mitigate the risk immediately, use any of the following options:

  1. Sign in to the Migrate Connector and run the following command:
    sudo sed -i 's/#LoginGraceTime 2m/LoginGraceTime 0/g' /etc/ssh/sshd_config
    or

    Edit /etc/ssh/sshd_config manually, uncomment the entry for LoginGraceTime and set its value to 0.
  2. Restart SSHD by running the following command:
    sudo systemctl restart ssh

What vulnerabilities are being addressed?

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that can be used to obtain access to a remote shell, enabling attackers to gain root access. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts.

Critical CVE-2024-6387