Automate Insecure OpenSSH vulnerability patching in Ubuntu AWS EC2 with Cortex Xpanse

Jul 25, 2024
5 minutes
... views

Automate Patching Vulnerable Software with Cortex Xpanse Active Response

A new vulnerability in Open Secure Shell (OpenSSH), identified as Common Vulnerabilities and Exposures (CVE) CVE-2023-25136, poses a significant threat to Amazon Web Services Elastic Cloud Compute (AWS EC2) instances. If left unpatched, this vulnerability could leave your instances vulnerable to attack, potentially resulting in the loss of sensitive data or damage to your company's reputation.

OpenSSH is a set of secure networking tools that use the Secure Shell (SSH) protocol to provide secure communication over unsecured networks. It is an essential tool for remote server management, secure file transfers, and robust encryption. However, certain versions of OpenSSH, specifically those versions 9.8 and under, are vulnerable to the Insecure OpenSSH vulnerability, which is a serious security risk.

According to a recent Unit 42 study, there are about 23 million instances of OpenSSH servers, including all versions. About one-third of those instances have outdated versions of OpenSSH and are vulnerable. To patch this, your organization has to spend resources, invest time, and do this over and over again with every new patchable version. This can be an onerous and daunting process if your environment has complex infrastructure with distributed systems.

As of the time of this writing, the insecure OpenSSH vulnerability affects versions 9.8 and under and allows remote code execution on your instances. These can be exploited by CVE-2023-25136, CVE-2021-28041, CVE-2021-41617, and CVE-2023-38408.

Cortex Xpanse Active Response Module provides an automated vulnerability patching option that uses AWS Systems Manager to upgrade to patchable versions that can save you time and resources. Xpanse discovers all your Insecure OpenSSH exposures and through various integrations, it enriches necessary remediation information about your EC2 instances. It then proceeds to patch Insecure OpenSSH vulnerabilities in your AWS EC2 instances using AWS Systems Manager quickly. With Xpanse, you can rest assured that your infrastructure is secure and your business is protected even if some engineer stands up another insecure EC2 instance.

Setting Up integrations in Cortex Xpanse

As a prerequisite, AWS Systems Manager agent (SSM agent) can be installed on EC2 instances, edge devices, on-premises servers, and virtual machines, which allows AWS Systems Manager to manage your AWS EC2 instances. Xpanse offers an integration through the AWS Systems Manager pack. With this integration, you can easily set up and manage your AWS System Manager and access all of its powerful features. To get started, you can add your AWS region, access key, secret key, and any additional information that you need. Our team is here to support you every step of the way and help you get the most out of this powerful tool.

Fig 1: AWS - Systems Manager integration configuration
Fig 1: AWS - Systems Manager integration configuration

Collecting and Enriching Information About Your EC2 Instance

Once you have the integration set up and ready, Xpanse will pull information related to your EC2 instances, such as AWS Systems Manager agent status, platform type, platform name, and platform version. Xpanse enriches this key information so you can quickly determine whether you want to patch the vulnerable version through automated remediation, saving you time and effort. In addition, Xpanse verifies that the vulnerability has actually been remediated for you. For the automated patching to work, AWS Systems Manager integration should be enabled, attack surface rule ID is InsecureOpenSSH, AWS Systems Manager agent is active on your instance and the operating system is Linux Ubuntu.

Fig 2: Systems identifiers captured via integrations
Fig 2: Systems identifiers captured via integrations

 

Remediation

Once the enrichment step is completed, Xpanse will have enough understanding of the instance and determine if it can perform automated remediation for you. For insecure OpenSSH instances detected by Xpanse with AWS System Manager, Active Response will automatically remediate all Ubuntu instances.

Once the above criteria is matched, the following options can be shown on the screen. Your analyst can choose one of these options to proceed. Choosing Automated remediation by patching vulnerable software will proceed to patching the OpenSSH version.

Fig 3: Remediation action options show in Cortex Xpanse UI
Fig 3: Remediation action options show in Cortex Xpanse UI

 

The automated remediation option uses the AWS Systems Manager integration to download the latest OpenSSH package from OpenBSD to your instance, compile the package and install it for you, ensuring that your systems are protected from potential attacks. With Xpanse, this ensures that you have the most up-to-date and secure version of OpenSSH on the EC2 instance.

By upgrading to a newer version of OpenSSH, any security flaws or vulnerabilities that exist in the older version are patched, ensuring that your systems are secure and protected from potential attacks.

Pre-remediation:

Fig 4: Insecure OpenSSH version before remediation
Fig 4: Insecure OpenSSH version before remediation

 

Post-remediation:

Fig 5: Patched OpenSSH version after remediation
Fig 5: Patched OpenSSH version after remediation

 

Conclusion

In the current threat landscape, automated remediation is crucial to countering the increasing sophistication of cyberattacks. Palo Alto Networks continually seeks to improve its security solutions and existing automated remediation capabilities. Automation enables swift and efficient vulnerability detection and remediation, saving both time and resources.

Reference

 


Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.