What is PKIX-SSH? #

PKIX-SSH is a fork of OpenSSH which has been modified to support X.509 v3 certificate authentication. runZero often sees this on network management devices and baseband management controllers.

Latest PKIX-SSH vulnerability: regreSSHion #

On July 1, 2024 the OpenSSH team released version 9.8p1 to address 2 vulnerabilities. The most critical of the two allows Remote Code Execution (RCE) by unauthenticated attackers under certain situations. This vulnerability was discovered by Qualys and dubbed "regreSSHion".

For more details and guidance for locating OpenSSH please see our prior OpenSSH Rapid Response post.

On July 6, 2024 PKIX-SSH version 15.1 was released to address the regreSSHion vulnerability which impacted versions 13.3.2 to 15.0.

Are updates or workarounds available? #

Version 15.1 was released to address the vulnerability.

How to find potentially vulnerable PKIX-SSH systems with runZero #

For locating assets with the impacted PKIX versions go the Software Inventory and use the following query:

name:"Roumen Petrov PKIX-SSH" (version:>13.3.1 AND version:<15.1)

Specific services can be found using the Service Inventory and the following query which will remove some of the versions known to be patched or otherwise not impacted:

protocol:ssh ( _service.product:="Roumen Petrov:PKIX-SSH:13.%" OR _service.product:="Roumen Petrov:PKIX-SSH:14.%" OR _service.product:="Roumen Petrov:PKIX-SSH:15.0" )  NOT  (os:OpenBSD OR banner:"PKIX[13.2" )

We have a canned query named "Rapid Response: OpenSSH regreSSHion RCE - PKIX-SSH" that can be used to locate potentially impacted systems.

Written by Tom Sellers

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has built and operated Internet scale scanning and honeypot projects. He is credited on many patents for network deception techonology. A strong believer in Open Source he has contributed to projects such as Nmap, Metasploit, and Recog.

More about Tom Sellers
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

Rapid Response
How to find SuperMicro BMCs
Supermicro released a vulnerability advisory for a critical CVE that allows for remote code execution (CVE-2024-36435). Here's how to find impacted...
Rapid Response
How to find OpenPrinting CUPS services on your network
Several vulnerabilities within OpenPrinting CUPS potentially allow for remote code execution. Here's how to find impacted assets.
Rapid Response
How to find Advantech ADAM devices on your network
Advantech has disclosed multiple vulnerabilities in their ADAM 5000 series Ethernet I/O modules. Here's how to find them on your network.
Rapid Response
How to find XenServer and Citrix Hypervisor on your network
A new vulnerability was disclosed in XenServer 8 and Citrix Hypervisor 8.2 CU1 LTSR. Here's how to find affected systems with runZero.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved