Query Details
CVE 2024 6387 Regresshion Identify Affected Endpoints
Query
# CVE-2024-6387 regreSSHion identify affected endpoints ### Description This query will help identify endpoints with OpenSSH of an affected version by the regreSSHion vulnerability. ### References - https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server ### Microsoft XDR & Microsoft Sentinel ``` DeviceTvmSoftwareInventory | where SoftwareName has "openssh" | extend OpenSSHVersion = extract(@"(\d+\.\d+)(?:p\d+)?", 1, SoftwareVersion) | extend OpenSSHVersion = toreal(OpenSSHVersion) | where OpenSSHVersion between (8.5 .. 9.8) or OpenSSHVersion < 4.4 | distinct DeviceId, DeviceName, OpenSSHVersion ``` ### MITRE ATT&CK Mapping - Tactic: Lateral Movement - Technique ID: T1210 - [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210/) ### Source ### Versioning | Version | Date | Comments | | ------------- |---------------| ----------------------------------| | 1.0 | 04/07/2024 | Initial publish |
Explanation
This query helps find endpoints with a vulnerable version of OpenSSH due to the regreSSHion vulnerability. It looks for OpenSSH versions between 8.5 and 9.8, or versions below 4.4. The goal is to identify affected devices for further action.
Details
Michalis Michalos
Released: July 4, 2024
Tables
DeviceTvmSoftwareInventory
Keywords
DeviceTvmSoftwareInventory,SoftwareName,openssh,SoftwareVersion,OpenSSHVersion,DeviceId,DeviceName
Operators
DeviceTvmSoftwareInventorywhereextendextracttorealbetweenordistinct