Join any meeting from Microsoft Teams Rooms. Available now

CVE-2024-6387

Published: 1 July 2024 

Last updated: 08:20 UTC, 17 July 2024

  • Date Time Description
  • 1 July 2024 12:00 UTC Pexip is aware of the OpenSSH RCE vulnerability, CVE-2024-6387, and is actively investigating whether its products and services are affected.
  • 3 July 2024 During ongoing evaluation of the risk to our products related to the OpenSSH vulnerability CVE-2024-6387, we determined that, in accordance with the published information about this vulnerability, several products were vulnerable. We notified customers and partners regarding Pexip Infinity, Pexip Secure Meetings for Justice, Reverse Proxy and TURN Server and VMR Self-Service Portal with information on mitigations and fixes.

    We chose to delay publishing this in the Trust Center to provide remediation time for our customers. This message was published to Trust Center on 17 July 2024.

    The information contained in the customer notification is visible below.
  • 4 July 2024 12:34 UTC Pexip has completed our evaluation of the risk to our services related to the OpenSSH vulnerability, CVE-2024-6387. We have determined that, in accordance with the published information about this vulnerability, no Pexip service is exploitable due to this CVE.
  • 8 July 2024 Infinity v34.2 was released, which included a fix for this vulnerability, and a release notification was sent to customers and partners.

    During ongoing evaluation of the risk to our products related to the OpenSSH vulnerability CVE-2024-6387, we determined that, in accordance with the published information about this vulnerability, a component of Enhanced Room Management (ERM) was vulnerable. A hotfix was developed and released.

    We chose to delay publishing this in the Trust Center to provide remediation time for our customers. This message was published to Trust Center on 17 July 2024.
  • 9 July 2024 Pexip notified ERM customers and partners with information on mitigations and the availability of the hotfix.

    We chose to delay publishing this in the Trust Center to provide remediation time for our customers. This message was published to Trust Center on 17 July 2024.

    The information contained in the customer notification is visible below.
  • 17 July 2024 08:20 UTC Pexip releases information regarding Pexip Infinity, Pexip Secure Meetings for Justice, Reverse Proxy and TURN Server, VMR Self-Service Portal and Enhanced Room Management products on this Trust Center page.
  • 22 July 2024 12:09 UTC Pexip considers the event completed.

Infinity customer notification

 

Sent: 3 July 2024

 

Fixes 

 

Pexip Infinity 

 

We have identified a fix and intend to release a version patch as soon as we have completed our accelerated testing for this issue. Infinity 34.2 and subsequent releases will contain this fix. 

 

Pexip Secure Meetings for Justice 

 

If not already doing so regularly, customers should follow our maintenance documentation to ensure the latest security patches are installed. Please see: 

https://docs.pexip.com/admin/justice_maintenance.htm#patching  

 

Reverse Proxy and TURN Server 

 

If not already doing so regularly, customers should follow our maintenance documentation to ensure the latest security patches are installed. Please see: 

https://docs.pexip.com/rp_turn/rp_advanced_config.htm#patching  

 

VMR Self-Service Portal 

 

If not already doing so regularly, customers should follow our maintenance documentation to ensure the latest security patches are installed. Please see: 

https://docs.pexip.com/vmrportal/maintain.htm#patching 

 

Mitigations 

 

Pexip Infinity 

 

In general, we recommend SSH is disabled in Pexip Infinity except for times when it is required. Until such a time that a customer Pexip Infinity deployment is upgraded to 34.2 or later, we recommend keeping SSH disabled entirely. 

 

SSH can be disabled via the Global Settings menu in your Infinity Management Node. Note that this disables SSH to each of your Infinity Nodes by default, and it can be individually overridden per node:  

https://docs.pexip.com/admin/global_settings.htm#connectivity 

 

For customers where disabling SSH is not practical, we recommend ensuring that access to SSH on Pexip Infinity nodes is strictly controlled to authorized hosts or networks via customer firewalls. 

 

Pexip Secure Meetings for Justice, Reverse Proxy, and VMR Self-Service Portal 

 

We recommend ensuring that access to SSH on all Pexip products is strictly controlled to authorized hosts or networks via customer firewalls. 

ERM customer notification

 

Sent: 9 July 2024

 

Fixes 

 

For version 2.0.1: 

  • Access the ERM Installer web interface via port 8999. Select “Install available bugfix/security updates for services” and click “Deploy changes”. You do not need to install a new version of the Installer 

 

Mitigations 

 

For version 2.0.0 and older: 

  • We recommend upgrading to version 2.0.1 where possible. 
  • In the ERM Installer web interface, navigate to Configure -> Other settings and select “Disable Proxy service” and click “Deploy changes” 

For more information, visit our documentation site:

https://docs.pexip.com/erm/installation/vm-deployment/erm-changelog.htm#product