What is PKIX-SSH? #
PKIX-SSH is a fork of OpenSSH which has been modified to support X.509 v3 certificate authentication. runZero often sees this on network management devices and baseband management controllers.
Latest PKIX-SSH vulnerability: regreSSHion #
On July 1, 2024 the OpenSSH team released version 9.8p1 to address 2 vulnerabilities. The most critical of the two allows Remote Code Execution (RCE) by unauthenticated attackers under certain situations. This vulnerability was discovered by Qualys and dubbed "regreSSHion".
For more details and guidance for locating OpenSSH please see our prior OpenSSH Rapid Response post.
On July 6, 2024 PKIX-SSH version 15.1 was released to address the regreSSHion vulnerability which impacted versions 13.3.2 to 15.0.
Are updates or workarounds available? #
Version 15.1 was released to address the vulnerability.
How to find potentially vulnerable PKIX-SSH systems with runZero #
For locating assets with the impacted PKIX versions go the Software Inventory and use the following query:
name:"Roumen Petrov PKIX-SSH" (version:>13.3.1 AND version:<15.1)
Specific services can be found using the Service Inventory and the following query which will remove some of the versions known to be patched or otherwise not impacted:
protocol:ssh ( _service.product:="Roumen Petrov:PKIX-SSH:13.%" OR _service.product:="Roumen Petrov:PKIX-SSH:14.%" OR _service.product:="Roumen Petrov:PKIX-SSH:15.0" ) NOT (os:OpenBSD OR banner:"PKIX[13.2" )
We have a canned query named "Rapid Response: OpenSSH regreSSHion RCE - PKIX-SSH" that can be used to locate potentially impacted systems.