🎉 Celebrate with us on December 11 for a special anniversary episode of runZero Hour! Register Now

On This Page:

  1. Lastest OpenSSH vulnerability: OpenSSH on FreeBSD
  2. What is the impact?
  3. Are updates or workarounds available?
  4. How to find potentially vulnerable OpenSSH on FreeBSD systems with runZero
  5. July 8th 2024: OpenSSH on Red Hat Enterprise Linux (CVE-2024-6409)
  6. What is the impact?
  7. Are updates or workarounds available?
  8. How to find potentially vulnerable OpenSSH installations systems with runZero
  9. July 1st 2024: regreSSHion (CVE-2024-6387)
  10. What is the impact?
  11. Are updates or workarounds available?
  12. How to find potentially vulnerable OpenSSH systems with runZero
  13. February 2023 (CVE-2023-25136)

How to find OpenSSH systems on your network

Tom Sellers
Rob King
|
Updated

Lastest OpenSSH vulnerability: OpenSSH on FreeBSD #

On August 7th, 2024 the FreeBSD security team issued an advisory detailing a vulnerability in OpenSSH when running on the FreeBSD operating system. This vulnerability, designated CVE-2024-7589 has a CVSS score of 7.4 and is rated high

This vulnerability is similar to the earlier regreSSHion vulnerability disclosed in July of 2024, where a remote attacker is able to trigger an asynchronous signal handler in an unsafe manner. In this case, it is due to the integration of the blacklistd service with OpenSSH on FreeBSD.

What is the impact? #

Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code with root privileges on a vulnerable FreeBSD system.

Are updates or workarounds available? #

The FreeBSD Project has released an update to address this issue and urges all users to update as quickly as possible. Additionally, setting the LoginGraceTime parameter in sshd_config to 0 will mitigate this issue, though it potentially exposes the SSH service to a denial-of-service attack.

How to find potentially vulnerable OpenSSH on FreeBSD systems with runZero #

OpenSSH on FreeBSD is shipped as an integral part of the operating system. The following query can used in the Services Inventory to locate potentially vulnerable systems:

protocol:ssh AND product:OpenSSH AND os:FreeBSD

July 8th 2024: OpenSSH on Red Hat Enterprise Linux (CVE-2024-6409) #

On July 8th, 2024, a vulnerability in OpenSSH running on Red Hat Enterprise Linux and Fedora systems was disclosed. This vulnerability is similar to the earlier regreSSHion vulnerability disclosed on July 1st, 2024, where a remote attacker is able to trigger an asynchronous signal handler in an unsafe manner. In this case, the vulnerability is due to the vendor-specific patches from Red Hat and the Fedora Project. Other Linux distributions derived from these distributions are likely also vulnerable.

This vulnerability has been designated CVE-2024-6409 and has a CVSS score of 7.0.

What is the impact? #

Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code on a vulnerable Linux system.

Are updates or workarounds available? #

Red Hat has released an update to address this issue and urges all users to update as quickly as possible.

How to find potentially vulnerable OpenSSH installations systems with runZero #

The following query can used in the Services Inventory to locate potentially vulnerable systems:

protocol:ssh (_service.product:="OpenBSD:OpenSSH:9%" OR _service.product:="OpenBSD:OpenSSH:8%") os:Linux

July 1st 2024: regreSSHion (CVE-2024-6387) #

On July 1, 2024 the OpenSSH team released version 9.8p1 to address 2 vulnerabilities. The most critical of the two allows Remote Code Execution (RCE) by unauthenticated attackers under certain situations. This vulnerability was discovered by Qualys and dubbed "regreSSHion".

CVE-2024-6387 is a critical rated vulnerability in the portable (non-OpenBSD) versions of OpenSSH from 8.5p1 to 9.7p1. Successful exploitation enables attackers to run arbitrary code with root privileges. Note that the "p" in those version strings indicates "portable". Exploitation is currently thought to take multiple hours and use many connections but it is likely that the exploit effectiveness may improve now that the information is public.

A second vulnerability related to the the failure of the ObscureKeystrokeTiming security feature has also been fixed. It was discovered that OpenSSH clients using versions 9.5 through 9.7 did not correctly implement this feature and so may have been susceptible to keystroke timing attacks when connected to an OpenSSH 9.5 or higher server.

What is the impact? #

There are a few things to understand when determining impact and risk of CVE-2024-6387. OpenSSH on OpenBSD is not vulnerable. Also, these exploits currently take multiple hours to work against 32-bit Linux/glibc systems with the Address space layout randomization (ASLR). Exploitation of 64-bit systems is thought to be possible but hasn't yet been demonstrated. Exploitation of non-glibc systems, such as Alpine Linux and various BSD based operating systems, is similarly unexplored.

It is important to keep in mind that this vulnerability will likely draw the attention of very skilled individuals and groups. The definition of "possible" and "likely" may change greatly over the coming days and weeks.

Are updates or workarounds available? #

The OpenSSH team has released version 9.8p1 to address these vulnerabilities. Updates will likely be released for various operating systems very quickly if they haven't been already.

The following vendors have already issued advisories and packages:

How to find potentially vulnerable OpenSSH systems with runZero #

It is important to note that most Linux distributions with scheduled releases and stability guarantees, such as Debian, Red Hat Enterprise Linux, and Ubuntu, will backport the fix to existing versions of OpenSSH instead of updating to 9.8p1. This means that their specific package version numbers may update but the version of OpenSSH may not.

Here is an example for Ubuntu 24.04:

Unpatched: 

OpenSSH_9.6p1 Ubuntu-3ubuntu13


Patched: 

OpenSSH_9.6p1 Ubuntu-3ubuntu13.3


As a result, auditing any environment will be more complex than normal.

For auditing overall OpenSSH versions go to the Software Inventory and use the following query:

name:"OpenBSD OpenSSH" (version:>8.4 AND version:<9.8)


Specific services can be found using the Service Inventory and the following query which will remove some of the versions known to be patched:

protocol:ssh ( _service.product:="OpenBSD:OpenSSH:9%" OR _service.product:="OpenBSD:OpenSSH:8%" )  NOT  (os:OpenBSD OR banner:"OpenSSH_8.0" OR banner:"OpenSSH_8.1" OR banner:"OpenSSH_8.2" OR banner:"OpenSSH_8.3" OR banner:"OpenSSH_8.4" OR banner:"OpenSSH_9.8" OR banner:"OpenSSH_for_Windows" OR banner:"Ubuntu-3ubuntu13.3" OR banner:"Ubuntu-3ubuntu0.10" OR banner:"Ubuntu-1ubuntu3.6" OR banner:"Debian-2+deb12u3" OR banner:"FreeBSD-20240701")

We have a canned query named "Rapid Response: OpenSSH regreSSHion RCE - OpenSSH" that can be used to locate potentially impacted systems.

February 2023 (CVE-2023-25136) #

The OpenSSH team surfaced a security issue that specifically affected OpenSSH server version 9.1p1 (a.k.a. version 9.1). This version contained a memory double-free vulnerability (tracked as CVE-2023-25136) that could be reached pre-authentication by a remote attacker. Researchers, including JFrog and Qualys, had been investigating and providing proof-of-concepts of a denial-of-service scenario and remote code execution for the attacker.

What was the impact? #

OpenSSH is a popular open source implementation of the SSH protocol and is available on many operating systems. The installation base for OpenSSH is quite large (Shodan reported ~48k public-facing instances of OpenSSH servers running version 9.1).

The denial-of-service attack vector could be successful against a number of operating systems running OpenSSH 9.1. However, it yielded limited results because it only crashed the forked daemon instance that had been spun up to handle the attacker’s SSH connection (leaving the parent ssh daemon still running to handle other incoming connections).

Exploitation of this vulnerability for remote code execution (RCE) was more complex, with a current proof-of-concept that only targeted OpenBSD 7.2 without memory protections in place (such as ASLR, NX, or ROP defenses) and with code execution still contained within the ssh daemon’s sandbox. As researchers continued to investigate RCE exploitation, other operating systems with attacker-bypassable memory malloc and double-free protections might have been discovered. Thus, the ability to fully execute attacker-controlled code outside of the ssh daemon sandbox, even with memory protections in place, might have been achieved.

OpenSSH version 9.2p1 (a.k.a version 9.2) was released and patched this vulnerability (CVE-2023-25136). For systems currently running OpenSSH 9.1, admins were encouraged to update to OpenSSH 9.2 or later.

How runZero users found vulnerable 9.1/9.1p1 OpenSSH services with runZero #

runZero users located OpenSSH servers running the vulnerable 9.1/9.1p1 version on their networks using the following prebuilt query:

_asset.protocol:ssh AND protocol:ssh AND (_service.product:="OpenBSD:OpenSSH:9.1" OR _service.product:="OpenBSD:OpenSSH:9.1p1")
OpenSSH query


To locate all OpenSSH servers in your network, the following prebuilt query can be used:

product:”OpenSSH”
OpenSSH query

As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.

Written by Tom Sellers

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has built and operated Internet scale scanning and honeypot projects. He is credited on many patents for network deception techonology. A strong believer in Open Source he has contributed to projects such as Nmap, Metasploit, and Recog.

More about Tom Sellers

Written by Rob King

Rob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.

More about Rob King
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

Rapid Response
How to find Citrix Virtual Apps and Desktops software on your network
Citrix has released an advisory for two vulnerabilities affecting Citrix Virtual Apps and Desktops software.
Read More
Rapid Response
How to find FortiManager instances on your network
How to find FortiManager instances on your network using runZero
Read More
Rapid Response
How to find SolarWinds Web Help Desk services on your network
CISA has announced that CVE-2024-28987 is actively being exploited in SolarWinds' Web Help Desk software. Here's how to find potentially affected...
Read More
Rapid Response
How to find SuperMicro BMCs
Supermicro released a vulnerability advisory for a critical CVE that allows for remote code execution (CVE-2024-36435). Here's how to find impacted...
Read More

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

Try It Free
© Copyright 2024 runZero, Inc. All Rights Reserved