Automate Patching Vulnerable Software with Cortex Xpanse Active Response
A new vulnerability in Open Secure Shell (OpenSSH), identified as Common Vulnerabilities and Exposures (CVE) CVE-2023-25136, poses a significant threat to Amazon Web Services Elastic Cloud Compute (AWS EC2) instances. If left unpatched, this vulnerability could leave your instances vulnerable to attack, potentially resulting in the loss of sensitive data or damage to your company's reputation.
OpenSSH is a set of secure networking tools that use the Secure Shell (SSH) protocol to provide secure communication over unsecured networks. It is an essential tool for remote server management, secure file transfers, and robust encryption. However, certain versions of OpenSSH, specifically those versions 9.8 and under, are vulnerable to the Insecure OpenSSH vulnerability, which is a serious security risk.
According to a recent Unit 42 study, there are about 23 million instances of OpenSSH servers, including all versions. About one-third of those instances have outdated versions of OpenSSH and are vulnerable. To patch this, your organization has to spend resources, invest time, and do this over and over again with every new patchable version. This can be an onerous and daunting process if your environment has complex infrastructure with distributed systems.
As of the time of this writing, the insecure OpenSSH vulnerability affects versions 9.8 and under and allows remote code execution on your instances. These can be exploited by CVE-2023-25136, CVE-2021-28041, CVE-2021-41617, and CVE-2023-38408.
Cortex Xpanse Active Response Module provides an automated vulnerability patching option that uses AWS Systems Manager to upgrade to patchable versions that can save you time and resources. Xpanse discovers all your Insecure OpenSSH exposures and through various integrations, it enriches necessary remediation information about your EC2 instances. It then proceeds to patch Insecure OpenSSH vulnerabilities in your AWS EC2 instances using AWS Systems Manager quickly. With Xpanse, you can rest assured that your infrastructure is secure and your business is protected even if some engineer stands up another insecure EC2 instance.
Setting Up integrations in Cortex Xpanse
As a prerequisite, AWS Systems Manager agent (SSM agent) can be installed on EC2 instances, edge devices, on-premises servers, and virtual machines, which allows AWS Systems Manager to manage your AWS EC2 instances. Xpanse offers an integration through the AWS Systems Manager pack. With this integration, you can easily set up and manage your AWS System Manager and access all of its powerful features. To get started, you can add your AWS region, access key, secret key, and any additional information that you need. Our team is here to support you every step of the way and help you get the most out of this powerful tool.
Collecting and Enriching Information About Your EC2 Instance
Once you have the integration set up and ready, Xpanse will pull information related to your EC2 instances, such as AWS Systems Manager agent status, platform type, platform name, and platform version. Xpanse enriches this key information so you can quickly determine whether you want to patch the vulnerable version through automated remediation, saving you time and effort. In addition, Xpanse verifies that the vulnerability has actually been remediated for you. For the automated patching to work, AWS Systems Manager integration should be enabled, attack surface rule ID is InsecureOpenSSH, AWS Systems Manager agent is active on your instance and the operating system is Linux Ubuntu.
Remediation
Once the enrichment step is completed, Xpanse will have enough understanding of the instance and determine if it can perform automated remediation for you. For insecure OpenSSH instances detected by Xpanse with AWS System Manager, Active Response will automatically remediate all Ubuntu instances.
Once the above criteria is matched, the following options can be shown on the screen. Your analyst can choose one of these options to proceed. Choosing Automated remediation by patching vulnerable software will proceed to patching the OpenSSH version.
The automated remediation option uses the AWS Systems Manager integration to download the latest OpenSSH package from OpenBSD to your instance, compile the package and install it for you, ensuring that your systems are protected from potential attacks. With Xpanse, this ensures that you have the most up-to-date and secure version of OpenSSH on the EC2 instance.
By upgrading to a newer version of OpenSSH, any security flaws or vulnerabilities that exist in the older version are patched, ensuring that your systems are secure and protected from potential attacks.
Pre-remediation:
Post-remediation:
Conclusion
In the current threat landscape, automated remediation is crucial to countering the increasing sophistication of cyberattacks. Palo Alto Networks continually seeks to improve its security solutions and existing automated remediation capabilities. Automation enables swift and efficient vulnerability detection and remediation, saving both time and resources.
Reference
- Cortex Xpanse AWS Systems Manager pack: https://xsoar.pan.dev/docs/reference/integrations/aws---system-manager
- Remediation Playbook used: https://xsoar.pan.dev/docs/reference/playbooks/aws---package-upgrade
- AWS Systems Manager: https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html
- OpenBSD: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/