Respond Quickly to Regression Vulnerability Affecting OpenSSH
An unauthenticated remote code execution (RCE) vulnerability in OpenSSH’s server could potentially grant an attacker full root access, which poses a significant exploit risk. RegreSSHion, also known as CVE-2024-6387, was discovered by Qualys to be a regression bug of a previously patched vulnerability, CVE-2006-5051, and is classified as a high severity CVE.
Palo Alto Networks Unit42 has issued a threat brief on this CVE which affects several OpenSSH server versions. Using Cortex’s Attack Surface Management solution, Xpanse, they observed 23 million instances for all versions of OpenSSH servers, of which 7.3 million instances were associated with the impacted versions.
Proof-of-concept (PoC) exploit code was discovered but no known exploits were observed as of July 2, 2024. For more details on the potential exploit of this vulnerability, read the Threat Brief. The Unit 42 team recommends updating all instances of OpenSSH instances to the latest version of OpenSSH.
If your team is working to track and patch this vulnerability, we have just the automation playbook to help you speed and streamline the process.
The CVE-2024-6387 - OpenSSH RegreSSHion RCE automation content pack will help you automate the following tasks:
Collect, Extract and Enrich Indicators
- Collects known indicators from the Unit42 blog
Threat Hunting
- Searches for vulnerable endpoints using Prisma Cloud and Cortex XDR - XQL queries
Mitigation Guidance
Send email notifications to analysts with recommendations for patching and other actions
- OpenSSH official CVE-2024-6387 patch
- Unit42 recommended mitigations
This playbook should be triggered manually or can be configured as a job within Cortex XSOAR*.
You can download this pack in our Cortex Marketplace. Cortex XSOAR or XSIAM is required for this automation.
To learn more about how you can automate security operations with Cortex XSOAR, check out our virtual self-guided XSOAR Product Tour.