How to find OpenSSH systems on your network


Latest OpenSSH vulnerability: regreSSHion #

On July 1, 2024 the OpenSSH team released version 9.8p1 to address 2 vulnerabilities. The most critical of the two allows Remote Code Execution (RCE) by unauthenticated attackers under certain situations. This vulnerability was discovered by Qualys and dubbed "regreSSHion".

CVE-2024-6387 is a critical rated vulnerability in the portable (non-OpenBSD) versions of OpenSSH from 8.5p1 to 9.7p1. Successful exploitation enables attackers to run arbitrary code with root privileges. Note that the "p" in those version strings indicates "portable". Exploitation is currently thought to take multiple hours and use many connections but it is likely that the exploit effectiveness may improve now that the information is public.

A second vulnerability related to the the failure of the ObscureKeystrokeTiming security feature has also been fixed. It was discovered that OpenSSH clients using versions 9.5 through 9.7 did not correctly implement this feature and so may have been susceptible to keystroke timing attacks when connected to an OpenSSH 9.5 or higher server.

What is the impact? #

There are a few things to understand when determining impact and risk of CVE-2024-6387. OpenSSH on OpenBSD is not vulnerable. Also, these exploits currently take multiple hours to work against 32-bit Linux/glibc systems with the Address space layout randomization (ASLR). Exploitation of 64-bit systems is thought to be possible but hasn't yet been demonstrated. Exploitation of non-glibc systems, such as Alpine Linux and various BSD based operating systems, is similarly unexplored.

It is important to keep in mind that this vulnerability will likely draw the attention of very skilled individuals and groups. The definition of "possible" and "likely" may change greatly over the coming days and weeks.

Are updates or workarounds available? #

The OpenSSH team has released version 9.8p1 to address these vulnerabilities. Updates will likely be released for various operating systems very quickly if they haven't been already.

The following vendors have already issued advisories and packages:

How to find potentially vulnerable OpenSSH systems with runZero #

It is important to note that most Linux distributions with scheduled releases and stability guarantees, such as Debian, Red Hat Enterprise Linux, and Ubuntu, will backport the fix to existing versions of OpenSSH instead of updating to 9.8p1. This means that their specific package version numbers may update but the version of OpenSSH may not.

Here is an example for Ubuntu 24.04:


OpenSSH_9.6p1 Ubuntu-3ubuntu13


OpenSSH_9.6p1 Ubuntu-3ubuntu13.3

As a result, auditing any environment will be more complex than normal.

For auditing overall OpenSSH versions go to the Software Inventory and use the following query:

name:"OpenBSD OpenSSH" (version:>8.4 AND version:<9.8)

Specific services can be found using the Service Inventory and the following query which will remove some of the versions known to be patched:

protocol:ssh ( _service.product:="OpenBSD:OpenSSH:9%" OR _service.product:="OpenBSD:OpenSSH:8%" )  NOT  (os:OpenBSD OR banner:"OpenSSH_8.0" OR banner:"OpenSSH_8.1" OR banner:"OpenSSH_8.2" OR banner:"OpenSSH_8.3" OR banner:"OpenSSH_8.4" OR banner:"OpenSSH_9.8" OR banner:"OpenSSH_for_Windows" OR banner:"Ubuntu-3ubuntu13.3" OR banner:"Ubuntu-3ubuntu0.10" OR banner:"Ubuntu-1ubuntu3.6" OR banner:"Debian-2+deb12u3" OR banner:"FreeBSD-20240701")

We have a canned query named "Rapid Response: OpenSSH regreSSHion RCE - OpenSSH" that can be used to locate potentially impacted systems.

February 2023 (CVE-2023-25136) #

The OpenSSH team surfaced a security issue that specifically affected OpenSSH server version 9.1p1 (a.k.a. version 9.1). This version contained a memory double-free vulnerability (tracked as CVE-2023-25136) that could be reached pre-authentication by a remote attacker. Researchers, including JFrog and Qualys, had been investigating and providing proof-of-concepts of a denial-of-service scenario and remote code execution for the attacker.

What was the impact? #

OpenSSH is a popular open source implementation of the SSH protocol and is available on many operating systems. The installation base for OpenSSH is quite large (Shodan reported ~48k public-facing instances of OpenSSH servers running version 9.1).

The denial-of-service attack vector could be successful against a number of operating systems running OpenSSH 9.1. However, it yielded limited results because it only crashed the forked daemon instance that had been spun up to handle the attacker’s SSH connection (leaving the parent ssh daemon still running to handle other incoming connections).

Exploitation of this vulnerability for remote code execution (RCE) was more complex, with a current proof-of-concept that only targeted OpenBSD 7.2 without memory protections in place (such as ASLR, NX, or ROP defenses) and with code execution still contained within the ssh daemon’s sandbox. As researchers continued to investigate RCE exploitation, other operating systems with attacker-bypassable memory malloc and double-free protections might have been discovered. Thus, the ability to fully execute attacker-controlled code outside of the ssh daemon sandbox, even with memory protections in place, might have been achieved.

OpenSSH version 9.2p1 (a.k.a version 9.2) was released and patched this vulnerability (CVE-2023-25136). For systems currently running OpenSSH 9.1, admins were encouraged to update to OpenSSH 9.2 or later.

How runZero users found vulnerable 9.1/9.1p1 OpenSSH services with runZero #

runZero users located OpenSSH servers running the vulnerable 9.1/9.1p1 version on their networks using the following prebuilt query:

_asset.protocol:ssh AND protocol:ssh AND (_service.product:="OpenBSD:OpenSSH:9.1" OR _service.product:="OpenBSD:OpenSSH:9.1p1")
OpenSSH query

To locate all OpenSSH servers in your network, the following prebuilt query can be used:

OpenSSH query

As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.

Written by Tom Sellers

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has built and operated Internet scale scanning and honeypot projects. He is credited on many patents for network deception techonology. A strong believer in Open Source he has contributed to projects such as Nmap, Metasploit, and Recog.

More about Tom Sellers

Written by Pearce Barry

More about Pearce Barry
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

Rapid Response
How to find PKIX-SSH services on your network
A fork of OpenSSH called PKIX-SSH was impacted by the recently discovered regreSSHion vulnerability. Here's how to find impacted services on your...
Rapid Response
How to find Westermo devices on your network
Westermo has disclosed several vulnerabilities regarding their Lynx Industrial Ethernet switches. Here's how to find them on your network.
Rapid Response
How to find Kaspersky products with runZero
The US government has banned the sale of Kaspersky products and services. Here's how to find Kaspersky products in your network.
Rapid Response
How to find Microsoft Message Queuing (MSMQ) servers on your network
A new pre-auth use-after-free vulnerability in the Microsoft Message Queuing (MSMQ) service is rated critical. Find impacted systems now with runZero.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved