Regre SS Hion Remote Unauthenticated Code Execution Vulnerability In Open SSH Server
Query
// regreSSHion - Remote Unauthenticated Code Execution Vulnerability in OpenSSH server
// https://www.linkedin.com/posts/activity-7213658125323681793-p0wl/
// Azure Resource Graph KQL Query to check Azure Linux server running OpenSSH:
resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| extend osType = properties.storageProfile.osDisk.osType
| where osType =~ 'Linux'
| mvexpand sshKey = properties.osProfile.linuxConfiguration.ssh.publicKeys
| where sshKey.keyData contains 'ssh-rsa' or sshKey.keyData contains 'ssh-dss'
| project name, location, osType, sshKey.keyData
// Microsoft Defender for Endpoint device discovery capabilities KQL to detect Linux machines (probably with SSH enabled) connected to on-prem & cloud environments (Not onboarded to MDE) to further identify any other possible attack surface.
DeviceInfo
| where OnboardingStatus != "Onboarded"
| where OSPlatform == "Linux"
| where DeviceName != ""
| where DeviceCategory == "Endpoint"
// MITRE ATT&CK Mapping
// T1078.003: Valid Accounts: SSH 1
// T1136.001: Create Account: Local Account 1
// T1082: System Information Discovery 1
// T1018: Remote System Discovery 1Explanation
This query is designed to identify potential security vulnerabilities related to OpenSSH on Azure Linux servers and other Linux machines that are not onboarded to Microsoft Defender for Endpoint (MDE). Here's a simplified breakdown of what each part of the query does:
-
Azure Resource Graph Query:
- It searches for Azure virtual machines (VMs) that are running Linux.
- It checks if these Linux VMs have SSH keys configured using either 'ssh-rsa' or 'ssh-dss' algorithms, which might be vulnerable.
- It retrieves and displays the VM's name, location, operating system type, and SSH key data.
-
Microsoft Defender for Endpoint Query:
- It identifies Linux devices that are not onboarded to MDE.
- It filters for devices that are classified as endpoints and have a non-empty device name.
- This helps in discovering Linux machines that might have SSH enabled and are connected to both on-premises and cloud environments, potentially exposing them to attacks.
-
MITRE ATT&CK Mapping:
- The query references specific MITRE ATT&CK techniques that relate to the use of SSH and account creation, as well as system and remote system discovery:
- T1078.003: Use of valid SSH accounts.
- T1136.001: Creation of local accounts.
- T1082: Discovery of system information.
- T1018: Discovery of remote systems.
- The query references specific MITRE ATT&CK techniques that relate to the use of SSH and account creation, as well as system and remote system discovery:
Overall, this query helps in identifying Linux systems that might be susceptible to remote unauthenticated code execution vulnerabilities via SSH, and it aligns with known attack techniques to better understand potential threats.
Details

Steven Lim
Released: August 25, 2024
Tables
resources
DeviceInfo
Keywords
ResourcesMicrosoftComputeVirtualMachinesOsTypePropertiesStorageProfileOsDiskLinuxSshKeyOsProfileLinuxConfigurationPublicKeysNameLocationDefenderEndpointDeviceInfoOnboardingStatusOsPlatformDeviceNameDeviceCategoryMitreAttackAccountsSystemInformationDiscovery
Operators
resources|where=~extendmvexpandcontainsorprojectDeviceInfo!===