Secure Shell Protocol (SSH) has been a cornerstone of cryptography and security since it was developed in early 1995. Organizations rely on SSH for secure communications within several popular software products. The recent Terrapin Attack highlights the importance of maintaining full visibility of your attack surface and the urgency required to identify all external-facing instances of the SSH vulnerability that can be exploited by attackers.
In this blog post, we’ll provide context into the SSH vulnerability and show you how Qualys CSAM with External Attack Surface Management can quickly identify ALL assets impacted, including on-prem, cloud, IoT, OT, and external internet-facing—along with the cyber risk context required to prioritize remediation efforts. The vulnerable SSH exposed on the internet poses significant threats to organizations, their subsidiaries, and acquired entities as they are visible to threat actors, and they can exploit CVE-2023-48795 to launch an attack.
The discovery of CVE-2023-48795 via the Terrapin Attacks highlights how even SSH is vulnerable, underscoring the importance and continued relevance of advanced vulnerability management patching strategies and vulnerability prioritization, especially for hybrid enterprise environments.
Outside of being a staple of near guaranteed security, the ease with which SSH is installed means that SSH runs on a wide array of operating systems, including devices administrators use – and the servers they use to connect to enterprise networks remotely. In simple terms, the Terrapin Attacks signify that SSH, and much of the remote access infrastructure that privileged access administrators rely on to stop sniffing attacks, has been cracked.
The SSH transport protocol found in OpenSSH before 9.6 and other SSH software and libraries allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), causing security features to be downgraded or disabled within a client and server connection (a Terrapin Attack). This allows attackers to exploit the SSH protocol, potentially gaining unauthorized access to sensitive information or compromising network security.
In simple terms, the Terrapin method of attack alters SSH data during the handshake between servers and devices, functioning as an adversary-in-the-middle (MITM) between connections that exist between remote administrators and their core, or on-prem, network. While this CVE is classified as moderate because the attack requires an active MITM to intercept and modify a connection’s traffic at the TCP/IP layer, it does allow attackers to delete consecutive messages.
OpenSSH versions before 9.6 and other software and libraries, including LibSSH, PuTTY, AsyncSSH, Dropbear SSH, Transmit, paramiko and golang-go.crypto are vulnerable.
Scope and Impact:
This vulnerability poses a significant risk, particularly for organizations relying heavily on SSH for secure communications, which includes many popular software platforms. The exploitation of this vulnerability can lead to data breaches, system takeovers, and other malicious activities – and they happen fast.
Real-World Implications:
In a real-world scenario, an attacker could exploit this vulnerability to intercept sensitive data or gain control over critical systems using administer privileged access. This risk is particularly acute for organizations with large, interconnected networks that provide access to privileged data. In other words, CVE-2023-48795 affects nearly everyone.
Qualys pulled anonymized data from our global customer base to analyze 420 million assets, including 51 million internet-facing assets. Here are the key data points:
All Assets
Operating System Category | Assets with SSH service or open TCP port 22 | Assets with EOL/EOS SSH service or open TCP port 22 |
---|---|---|
Linux | 24.6M | 12.2M |
Windows | 36K | 23.3K |
Internet-facing Assets
Operating System Category | Assets with SSH service or open TCP port 22 | Assets with EOL/EOS SSH service or open TCP port 22 |
---|---|---|
Linux | 1.23M | 328K |
Windows | 1.8K | 1.3K |
Interestingly, over 99% of assets with SSH service are Linux assets as opposed to Windows.
With this context in mind, it is highly likely that your attack surface is exposed to some level of risk from SSH services. Here’s what you can do.
Immediate Actions:
To mitigate this vulnerability, we recommend organizations inventory and scan all systems with vulnerable SSH versions. Organizations must patch their SSH implementations as per the latest security updates. Additionally, reviewing and updating SSH key management practices quickly and often is crucial.
Long-Term Solutions:
For long-term protection, we advocate for regular security audits and adopting a layered security approach. Implementing robust firewalls, intrusion detection systems, and rigorous access controls can significantly reduce the risk of such vulnerabilities.
Qualys offers a suite of tools and services designed to identify, prevent, and mitigate vulnerabilities like CVE-2023-48795. With the Enterprise TruRisk Platform, customers can monitor their networks, manage vulnerabilities, and maintain compliance with over industry 240 standards. When it comes to CVE-2023-48795 specifically, here is how Qualys can help:
Qualys CSAM provides multiple ways to identify and manage remediation and mitigation for assets containing SSH across your hybrid environment, including cloud, on-prem, IoT/OT, and internet-facing assets. Here are some key examples.
You can identify assets with a known vulnerable version of OpenSSH with this query:
Software Query: software:(name:OpenSSH and version < 9.6)
Knowing that OpenSSH is not the only software vulnerable with this CVE, you should consider adding similar software name tokens to the query to find other potentially vulnerable software such as libssh, libssh2, putty, etc., especially as new information on vulnerable software is updated by researchers.
Software Query: software:(name:openssh or name:libssh or name:putty or name:paramiko or name:transmit or name:golang-go.crypto or name:dropbear)
If you have compute assets that do not have the necessary Qualys Agent or have not had an authenticated scan that discovers software, you can still query for any SSH servers using port and service tokens.
Asset Query: openPorts:((port:22 and protocol:TCP) or detectedService:SSH)
You can further focus that query on internet-facing assets exposing SSH by adding appropriate tags to the QQL.
Asset Query: openPorts:((port:22 and protocol:TCP) or detectedService:SSH) and (tags.name:EASM or tags.name:”Internet Facing Assets”)
In addition to identifying all assets with SSH installed, using dynamic tags and tagging the assets will allow for swifter remediation actions and clearer reporting as you mitigate the threat.
CSAM also recently introduced the ability to create port authorization rules in Rules > Open Ports. You use tags to select which assets are unauthorized to have the open port(s) and assign a QDS score to each open port to inform the TruRisk Score of the asset when the unauthorized open port is detected.
After using tags to select the asset scope, you can then define the unauthorized ports and the QDS score to use:
Port Rules will then assign an openPorts:(authorization:) attribute to any assets with an unauthorized port. You can then focus on assets with unauthorized exposure of the default ssh port using a query like:
Asset Query: openPorts((port:22 and protocol:TCP) and authorization:`Unauthorized`)
You can see the TruRisk contribution from the unauthorized port in Asset Details > TruRisk Score.
With any of the queries above, you can also use the Group Assets By option in CSAM Inventory screens to get the list of assets with specific criteria/attributes, such as External Attack Surface domain, cloud providers, operating system category, etc. This is very useful if you have different teams focused on different types or deployment locations of assets.
Lastly, using CSAM’S Report options, you can generate CSV reports using queries and/or tags to provide a list of assets and/or software to remediation teams.
Search the following QIDs within your VMDR subscription to find vulnerable instances of SSH in your environment:
QID | Title |
---|---|
755498 | SUSE Enterprise Linux Security Update for openssh (SUSE-SU-2023:4903-1) |
755497 | SUSE Enterprise Linux Security Update for openssh (SUSE-SU-2023:4904-1) |
755496 | SUSE Enterprise Linux Security Update for openssh (SUSE-SU-2023:4905-1) |
691379 | Free Berkeley Software Distribution (FreeBSD) Security Update for putty (91955195-9ebb-11ee-bc14-a703705db3a6) |
200018 | Ubuntu Security Notification for OpenSSH Vulnerabilities (USN-6560-1) |
200017 | Ubuntu Security Notification for libssh Vulnerability (USN-6561-1) |
996391 | Python (Pip) Security Update for golang.org/x/crypto (GHSA-45×7-px36-x8w8) |
356795 | Amazon Linux Security Advisory for openssh : ALAS-2023-1898 |
356794 | Amazon Linux Security Advisory for openssh : ALAS2023-2023-462 |
356793 | Amazon Linux Security Advisory for openssh : ALAS2-2023-2376 |
996375 | Rust (Rust) Security Update for golang.org/x/crypto (GHSA-45×7-px36-x8w8) |
996349 | GO (Go) Security Update for golang.org/x/crypto (GHSA-45×7-px36-x8w8) |
755499 | SUSE Enterprise Linux Security Update for openssh (SUSE-SU-2023:4902-1) |
Qualys customers have several ways to expedite remediation for vulnerable applications.
You can use Patch Management to patch vulnerable applications as patches are released. There are already patches issued for many commonly used applications containing SSH. With Patch Management, Qualys customers can quickly apply patches using both Windows and Linux.
In addition, Qualys CSAM can consolidate across teams through direct integration with Configuration Management Database (CMDB) and IT Service Management (ITSM) ticketing tools. IT tickets can even be automatically assigned by owner or group based on Qualys tagging, saving significant time in triaging ticket assignments. When it comes to exploitable vulnerabilities, every second counts—which is why it is critical to remove technology silos.
Please stay tuned for more updates. Qualys Research team will be regularly updating the blog as more details become available. In the meantime, please leverage the Vulnerability Detection Pipeline to track developments and the status of new vulnerabilities.