Rapid Response for OpenSSH Vulnerability CVE-2024-6387

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L5 Sessionator

Title_Rapid-Response-OpenSSH-Vunerability_palo-alto-networks.jpg

 

This blog written by Jane Goh and published on July 12, 2024.

 

 

Respond Quickly to Regression Vulnerability Affecting OpenSSH

 

An unauthenticated remote code execution (RCE) vulnerability in OpenSSH’s server could potentially grant an attacker full root access, which poses a significant exploit risk. RegreSSHion, also known as CVE-2024-6387, was discovered by Qualys to be a regression bug of a previously patched vulnerability, CVE-2006-5051, and is classified as a high severity CVE.

 

Palo Alto Networks Unit42 has issued a threat brief on this CVE which affects several OpenSSH server versions. Using Cortex’s Attack Surface Management solution, Xpanse, they observed 23 million instances for all versions of OpenSSH servers, of which 7.3 million instances were associated with the impacted versions.

 

Proof-of-concept (PoC) exploit code was discovered but no known exploits were observed as of July 2, 2024. For more details on the potential exploit of this vulnerability, read the Threat Brief. The Unit 42 team recommends updating all instances of OpenSSH instances to the latest version of OpenSSH.

 

If your team is working to track and patch this vulnerability, we have just the automation playbook to help you speed and streamline the process.

 

The CVE-2024-6387 - OpenSSH RegreSSHion RCE automation content pack will help you automate the following tasks:

 

Collect, Extract and Enrich Indicators

  1. Collects known indicators from the Unit42 blog

 

Threat Hunting

  1. Searches for vulnerable endpoints using Prisma Cloud and Cortex XDR - XQL queries

 

Mitigation Guidance

Send email notifications to analysts with recommendations for patching and other actions

  1. OpenSSH official CVE-2024-6387 patch
  2. Unit42 recommended mitigations

 

This playbook should be triggered manually or can be configured as a job within Cortex XSOAR*.

 

You can download this pack in our Cortex Marketplace. Cortex XSOAR or XSIAM is required for this automation.

 

To learn more about how you can automate security operations with Cortex XSOAR, check out our virtual self-guided XSOAR Product Tour.

 

  • 4314 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Top Liked Authors