Jul 7, 2024

Middle East RegreSSHion

CVE-2024-6387

On July 1, 2024, Qualys published a blog post about the RCE their research unit discovered in OpenSSH’s server implementation. It is quiet rare for an RCE to be discovered in an OpenBSD project, in fact the conditions required for successful exploitation are somewhat restrictive, which goes to show the quality software the OpenBSD project puts out. Nonetheless, the aim of this post is to explore the potential risk raised by this vulnerability in the region.

The exploit is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems, according to Qualys. The issue had been remediated many versions ago but was reintroduced in the code recently, hence the regression nickname.

For quick reference, the following OpenSSH versions are effected:

From To
8.5p1 9.8p1
Earlier 4.4p1 without patches

OpenSSH is widely used across the internet. It is installed on many linux server distributions by default. We’ll take a closer look at the Middle East region to assess the extent of introduced risk and any potential interesting observations.

For this post, the region consists of the following countries: {"Bahrain", "Egypt", "Iran", "Iraq", "Jordan", "Kuwait", "Lebanon", "Oman", "Qatar", "Saudi Arabia", "Syria", "United Arab Emirates", "Yemen"}

Let’s jump right in.

Global

We see that across the internet, the top 10 versions of OpenSSH include 4 vulnerable ones, according to Censys. Censys is a internet intelligence platform similar to Shodan, they scan the web continiously and give us the ability to filter through their data to gain new insights.

Global SSH

Middle East

When we focus on the Middle East, 5 vulnerable versions make it to the top 10, unfortunatly. Middle east SSH

Digging deeper into the region, we see around ~30k hosts running vulnerable OpenSSH versions, as of 5-7-2024. This is 4 days after the initial public announcment. (Query at the end of the post) Middle east SSH hosts

Interestingly, the majority are based in Iran, by a large margin. This may be due to a multitude of reasons, including but not limited to, the focus on certain IP spaces by Censys scans, political sanctions forcing infrastructure to be localised therefore more hardware on the ground, and the scale of the countries.

locations

Let’s take a closer look at these vulnerable OpenSSH servers.

Iran

As we mentioned earlier, Iran is one of the countries with the most vulnerable hosts, about ~16k, running OpenSSH. There are lots of interesting ports, web portals and other things to look at in future posts. Iran

UAE

More than 5k vulnerable OpenSSH hosts in the UAE. The UAE has been known to host and fund many technological endeavors to bring the latest and greatest to the region. That includes multiple datacenters for different international cloud providers. UAE

Saudi Arabia

In recent years, the tech industry has boomed in Saudi due to the shifts in strategy and legislation. Including opening up new datacenters and funding startups at scale. Despite the efforts put forth to ensure that security standards are upheld, we still see that the majority are susceptible to this particular vulnerability. Saudi

Qatar and Bahrain

Both countries are relatively small, share a single border with Saudi Arabia and are similarly competing to host big tech and be a hub of innovation in the region. Apart of their geographical similarty, New datacenters are being built and brought up so understandably there are many hosts under cloud ASN’s. Qatar AWS has a Bahrain location as can be seen in the Autonomous System filter section. Many machines seem similar or following a template which is running a vulnerable OpenSSH version. Bahrain

Egypt and Jordan

Egypt is a rather large country, infact it is the largest arabic speaking country. Surprisingly, less than 500 hosts show up as running OpenSSH. Unsurprisingly, most are vulnerable versions which is a common theme across the region. Egypt While Jordan has about ~600 hosts, Most of which appear to be under the ASN called Stark Industries, which I’ve seen used for ill intent before. Interesting that many of the hosts appear to match in terms of ports open and OS, indicating a datacenter template situation as well.

Bahrain

Iraq, Lebanon and Oman

I expected Iraq to have a large scale presence but in terms of OpenSSH hosts, there are only 164 hosts detected. Ofcourse the country is trying to build itself back up and is dealing with many internal affairs and foreign interference. I see a lot of investment and expansion in the telecom sector but I guess that doesn’t reflect in this case. Iraq Lebanon has around ~150 hosts all around the country. Lebanon Oman also has about ~150 hosts with some interesting ports. Oman

Kuwait, Syria and Yemen

On the lower host count side, we have Kuwait surprisingly and ofcourse most are of the vulnerable OpenSSH versions. Kuwait Syria is another one of the lower host count countries with many restrictions, safety and stability challenges facing them. Syria And lastly, Yemen, with about ~60 vulnerable hosts. Yemen

Shodan Vs. Censys

It seems like Censys has a better view of the region and it’s data appears to be relatively accurate which is why I chose to stick with it. I did compare many queries and dig into them on both platforms but for simplicity decided to go with Censys for this post. The difference did not change the conclusions I reached. Below you’ll find the customised Censys query used for this post as well as the base Shodan Query with the countries, if you’re interested in playing around. Do keep in mind that results change with time.

Worldwide OpenSSH versions from Shodan: worldwide-ssh-shodan.png Middle East OpenSSH version from Shodan: middleeast-ssh-shodan.png

Censys Query:

(services: (software.product: openssh and software.version: [8.5 to 9.8} and not ssh.endpoint_id.comment: {"Ubuntu-3ubuntu0.10", "Ubuntu-1ubuntu3.6", "Ubuntu-3ubuntu13.3", "Debian-5+deb11u3", "Debian-2+deb12u3", "FreeBSD-20240701"})) and location.country:{"Bahrain", "Egypt", "Iran", "Iraq", "Jordan", "Kuwait", "Lebanon", "Oman", "Qatar", "Saudi Arabia", "Syria", "United Arab Emirates", "Yemen"}

Shodan Query:

product:OpenSSH country:bh,eg,ir,iq,jo,kw,lb,om,qt,sa,sy,ae,ye

Sources

https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/ https://securitylabs.datadoghq.com/articles/regresshion-vulnerability-cve-2024-6387-overview-detection-and-remediation/ https://www.linkedin.com/feed/update/urn:li:activity:7213599274339586049/ https://phoenix.security/cve-2024-6387-regresshion/