Finding OpenSSH servers

(updated ), by Pearce Barry

The OpenSSH team surfaced a security issue earlier this month that specifically affects OpenSSH server version 9.1p1 (a.k.a. version 9.1). This version contains a memory double-free vulnerability (tracked as CVE-2023-25136) that can be reached pre-authentication by a remote attacker. Researchers, including JFrog and Qualys, have been investigating and providing proof-of-concepts of a denial-of-service scenario and remote code execution for the attacker.

What is the impact? #

OpenSSH is a popular open source implementation of the SSH protocol and is available on many operating systems. While the installation base for OpenSSH is quite large (Shodan currently reports ~48k public-facing instances of OpenSSH servers running version 9.1), the potential impacts of this vulnerability are not yet fully understood and are still being investigated.

The denial-of-service attack vector may be successful against a number of operating systems running OpenSSH 9.1. However, it yields limited results because it only crashes the forked daemon instance that was spun up to handle the attacker’s SSH connection (leaving the parent ssh daemon still running to handle other incoming connections).

Exploitation of this vulnerability for remote code execution (RCE) is more complex, with a current proof-of-concept that only targets OpenBSD 7.2 without memory protections in place (such as ASLR, NX, or ROP defenses) and with code execution still contained within the ssh daemon’s sandbox. As researchers continue investigating RCE exploitation, other operating systems with attacker-bypassable memory malloc and double-free protections may be discovered. So, the ability to fully execute attacker-controlled code outside of the ssh daemon sandbox -even with memory protections in place– may be achieved.

Are updates available? #

OpenSSH version 9.2p1 (a.k.a version 9.2) was released earlier this month and patches this vulnerability (CVE-2023-25136). For systems currently running OpenSSH 9.1, admins are encouraged to update to OpenSSH 9.2 or later.

How do I find vulnerable OpenSSH services with runZero? #

To locate OpenSSH servers running the vulnerable 9.1/9.1p1 version in your network, use the following prebuilt query in your Service Inventory:

_asset.protocol:ssh AND protocol:ssh AND (_service.product:="OpenBSD:OpenSSH:9.1" OR _service.product:="OpenBSD:OpenSSH:9.1p1")
OpenSSH query

To local all OpenSSH servers in your network, use the folloing prebuilt query in your Asset Inventory:

OpenSSH query

As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.

Get runZero for free

Don’t have runZero and need help finding potentially vulnerable OpenSSH servers?

Get started
Learn more about runZero
Pearce Barry
Written by Pearce Barry

Pearce Barry is a Director of Security Research at runZero. Barry joined runZero in June 2021, working on the Metasploit Project the four years prior. Now, Pearce leads research efforts at runZero, which includes creating and improving fingerprints, adding to protocols, enhancing scanning logic, and writing queries.

Similar Content

September 26, 2023

How to find TeamCity instances

How to find TeamCity assets? # On September 20th, JetBrains announced a critical authentication bypass vulnerability that impacts users running the TeamCity On-Premises product. The vulnerability is being tracked using CVE-2023-42793 and presents the weakness of CWE-288 …

Read More

September 12, 2023

How to find OpenSSL 1.1 instances

How to find OpenSSL 1.1 instances # On September 11th, the venerable OpenSSL 1.1.1 reached its end of life date. That means that it will no longer be receiving publicly-available security fixes. Users without a third-party extended support contract will no longer receive …

Read More

July 31, 2023

How to find Ivanti EPMM (MobileIron Core)

How to find Ivanti Endpoint Manager Mobile (EPMM) with runZero # On July 24th, Ivanti announced that their Endpoint Manager Mobile (EPMM, formerly MobileIron Core) product versions 11.10 and prior contain a critical authentication bypass vulnerability. Successfully …

Read More