DESCRIPTION LAST UPDATED: 2024-09-06
DEFAULT SEVERITY LEVEL: INFO
Introduction
This report identifies hosts that have the Secure Shell (SSH) service running and accessible on the Internet.
This does not necessarily indicate that anything is wrong with the system, but if the SSH running on a system (or the version that is running) seems out of place, you may wish to investigate. By default therefore, we classify events reported as INFO (informational only).
However there are exceptions when we will classify individual events reported with a higher severity level, as explained below.
Detected issues
CVE-2024-6387 (“regreSSHion”)
On 2024-07-01 we have added as version based detection of CVE-2024-6387. Read more on regreSSHion: RCE in OpenSSH’s server, on glibc-based Linux systems. Severity is set to CRITICAL. To determine whether an instance is vulnerable or not we use the following condition
The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.
Please note there is no reliable method to account for backporting by various Linux distributions. These are scenarios where a distribution will display a potentially vulnerable version but have a patch in place that does not modify the version. False positives are thus possible.
We currently exclude:
SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.4,
SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.5,
SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10,
SSH-2.0-OpenSSH_9.3p1 Ubuntu-3ubuntu3.6,
SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.3,
SSH-2.0-OpenSSH_9.3p1 Ubuntu-1ubuntu3.6,
SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3,
SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3
In addition, we exclude all OpenBSD instances if possible.
Make sure you update your OpenSSH server: https://www.openssh.com/txt/release-9.8
Password based authentication enabled
If we detect that that an SSH instance returns userauth_methods that includes password (which is not recommended due to daily brute force attacks conducted against exposed SSH endpoints) we set the severity level for that instance to MEDIUM.
CVE-2023-48795 (“Terrapin Attack”)
In addition, we also report instances vulnerable to CVE-2023-48795 (“Terrapin attack“). These are tagged cve-2023-48795 and severity is set to LOW as effective execution of attacks comes with complexity. The logic for tagging instances as vulnerable is based on the paper Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation and is implemented as follows (Perl code example):
if ( ( ( ( $server_key_exchange_s2c_mac =~ m/\-etm\@openssh\.com/ && $server_key_exchange_s2c_cipher =~ m/\-cbc/ ) || ( $server_key_exchange_s2c_cipher =~ m/chacha20\-poly1305\@openssh\.com/ ) ) && ( $server_key_exchange_kex !~ m/kex\-strict\-s\-v00\@openssh\.com/ ) ) ) {
$tag .= "\;cve-2023-48795";
}
If you receive a report from us, you can verify the status of your SSH server with the Terrapin Scanner from Ruhr-Universität Bochum (authors of the paper).
Detected non-SSH issues
In some cases we will also add tags that are not related to the SSH service itself as such but are related to the IP in question. For example, for Fortra GoAnywhere MFT CVE-2024-0204 we are able to identify IPs that have not applied the patch based on the SSH version banner displayed. This does not mean the vulnerability is exploitable via the SSH service, only that it may be exploitable via the HTTP admin interface if it is exposed.
Dashboard and daily scan results
You can track accessible SSH hosts on our Dashboard.
Terrapin attack exposure can be tracked on the Dashboard here (select source ssh and/or ssh6, then tag cve-2023-48795).
Additional Information
For more information on SSH, see https://en.wikipedia.org/wiki/Secure_Shell.
Severity levels are described here.
For more information on our scanning efforts, check out our Internet scanning summary page..
This report comes in 2 versions, IPv4 and IPv6.
Filenames: scan_ssh, scan6_ssh