regreSSHion Vulnerability - CVE-2024-6387

Incident Report for Rapid Response Status Page

Resolved

Dear customers,

In addition to our latest update, we managed to create improved versions of the visibility dashboard for identification of publicly-facing hosts towards which incoming SSH traffic (to “sshd”) was identified over the last 7 days.
To provide the most accurate, and comprehensive results we also divided the former visibility dashboard to two separate dashboards:

1. “RegreSSHion - CVE-2024-6387 - Identification of Publicly facing devices that received SSH connections towards “sshd” from external remote IP (CrowdStrike)”

2. “RegreSSHion - CVE-2024-6387 - Identification of Publicly facing devices that received SSH connections towards “sshd” from
external remote IP

These dashboards replace the previous dashboard, and can be found in the same location in the Hunters platform, by navigating to: “Data” --> “Visibility”.

Note: In case you have multiple EDR products in your organizational environment, please take a look at both dashboards to get the full results.

In addition, Axon reports had been published to Team Axon customers.
In those reports, you can also find the updated deliverables list (threat hunting queries and visibility dashboard).

The team is still tracking the “RegreSSHion” vulnerability and will publish an update in case needed.
If you have any questions regarding the hunting queries’ results or in general, please do not hesitate to reach out to us.


Sincerely,
Team Axon.
Posted Jul 04, 2024 - 16:04 UTC

Update

Dear customers,

After a continuous evaluation of the OpenSSH RCE vulnerability, CVE-2024-6387, also known as “RegreSSHion” during the last few days, there are a few updates we would like to share with you.

- Vulnerable version update: Please pay attention that in addition to versions OpenSSH versions 8.5p1 to 9.8p1 mentioned in our previous update, Open SSH versions earlier than 4.4p1 are potentially vulnerable as well. Upgrading to the latest OpenSSH versions is highly recommended.

- Deliverables - updates:

*) A new hunting-query, that can be used for identification of spikes in "timeout before authentication" SSHD logs entries. This query
can be found in Team Axon's github page: https://github.com/axon-git/rapid-response/blob/main/CVE-2024-
6387_RegreSSHion/SSHD_Logs_spike_in_timeout_before_authentication_log_entries.sql

*) The initial hunting query published by the team was replaced with 4 different hunting queries, each for logs of a different EDR vendor.
Those queries should provide more detailed, accurate and comprehensive information while hunting for potential exploitation attempts.

1. CrowdStrike - External Facing OpenSSH devices that received a significant amount of SSH connections from a specific source IP over the last 30 days.
Link: https://github.com/axon-git/rapid-response/blob/main/CVE-2024-6387_RegreSSHion/CrowdStrike_External_facing_ssh_devices_many_connections_from_same_remote_ip.sql

2. MDATP - External Facing OpenSSH devices that received a significant amount of SSH connections from a specific source IP over the last 30 days.
Link: https://github.com/axon-git/rapid-response/blob/main/CVE-2024-6387_RegreSSHion/MDATP_External_facing_ssh_devices_many_connections_from_same_remote_ip.sql

3. SentinelOne - External Facting OpenSSH devices that received a significant amount of SSH connections from a specific source IP over the last 30 days.
Link: https://github.com/axon-git/rapid-response/blob/main/CVE-2024-6387_RegreSSHion/SentinelOne_External_facing_ssh_devices_many_connections_from_same_remote_ip.sql

4. Carbon Black - External Facting OpenSSH devices that received a significant amount of SSH connections from a specific source IP over the last 30 days.
Link: https://github.com/axon-git/rapid-response/blob/main/CVE-2024-6387_RegreSSHion/CarbonBlack_External_facing_ssh_devices_many_connections_from_same_remote_ip.sql

*) Visibility query - as mentioned in our previous update, visibility query for external facing OpenSSH devices - based on an identification of hosts that received SSH connections from external IP addresses during the last 7 days is available.
This dashboard can be found in the Hunters platform, by navigating to: "Data" --> "Visibility" --> "RegreSSHion - CVE-2024-6387 - Identification of Publicly facing devices that received SSH connections towards "sshd" from external remote IP"


The team is still tracking the “RegreSSHion” vulnerability and will publish an update in case needed.
If you have any questions, please do not hesitate to reach out to us.

Sincerely,
Team Axon.
Posted Jul 03, 2024 - 20:45 UTC

Update

Dear customers,

Team Axon evaluated the risk of the recently published vulnerability in OpenSSH, CVE-2024-6387, also known as “RegreSSHion”.
This message includes some relevant insights, recommendations, and hunting queries.
Be aware that additional insights and findings related to this CVE might be identified in the future, hence, please keep tracking the Rapid Response updates.

- After evaluating the technical exploitation details known by this point, we find this vulnerability unlikely to be used as part of widespread exploitation. Different aspects are needed be addressed by a potential threat actor to be able to exploit this vulnerability to get a remote code execution (RCE).

- To be able to maliciously take advantage of this vulnerability, it is very likely to require the attacker to conduct a significant amount of SSH connections toward the targeted host, which will approximately take a few hours, in case the attacker uses the continuous approach.

The following queries can be used by your security teams to gain relevant visibility and also to conduct threat-based threat-hunting:

1. Visibility Query - External Facing OpenSSH devices - based on an identification of hosts that received SSH connections from external IP addresses during the last 7 days. This dashboard can be found in the Hunters platform, by navigating to:
"Data" --> "Visibility" --> "RegreSSHion - CVE-2024-6387 - Identification of Publicly facing devices that received SSH connections towards "sshd" from external remote IP"

2. Hunting Query - External Facing OpenSSH devices that received more than X SSH connections from a specific source IP over the last 30 days. This query can be found in Team Axon's Github: https://github.com/axon-git/rapid-response/blob/main/CVE-2024-6387_RegreSSHion/External_facing_ssh_devices_many_connections_from_same_remote_ip.sql


Recommendations:

1. As mentioned in our previous message, the vulnerability affects OpenSSH versions 8.5p1 to 9.8p1. To mitigate the risk, it is crucial to upgrade to the latest OpenSSH versions. Detailed patch information can be found in the advisory by Qualys:
https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server#technical-details

2. If a patch/update of sshd is not an option, consider setting LoginGraceTime to 0 in the config file. This exposes sshd to a denial of service by using up all MaxStartups connections, but it prevents the remote code execution risk.

3. Make sure you don’t have any publicly-facing organizational assets that allow incoming SSH access (“sshd”).

3.1. In case this kind of access is mandatory for specific organizational hosts, please make sure to carefully monitor any suspicious activity related to them, and of course to make sure they don’t have the vulnerable OpenSSH versions installed on them.


The team continues to track this vulnerability and will notify you of any actionable new details.
If you have any questions or concerns, please do not hesitate to reach out to us.

Sincerely,
Team Axon.
Posted Jul 02, 2024 - 13:59 UTC

Investigating

Team Axon is aware of a new critical RCE flaw (CVE-2024-6387) affecting OpenSSH servers. This vulnerability, known as "RegressHion," allows remote unauthenticated code execution due to a logical race condition issue. Attackers can send crafted SSH packets to exploit this flaw, which can potentially lead to arbitrary code execution with root privileges.

The vulnerability affects OpenSSH versions 8.5p1 to 9.8p1. In order to mitigate the risk, it is crucial to upgrade to the latest OpenSSH versions. Detailed patch information are provided in the advisory by Qualys https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server#technical-details

Our team is actively researching the details and will provide updates after deeply analyzing and assessing the vulnerability, including potential deliverables such as threat hunting queries and visibility insights. Impacted customers will be notified directly.

For further assistance, please don't hesitate to contact us.

Sincerely,
Team Axon
Posted Jul 01, 2024 - 17:30 UTC
This incident affected: Rapid Response.