Last year, software vendors and news outlets widely publicized a new OpenSSH vulnerability - CVE-2023-38408. The vulnerability exposes Linux-based systems to remote command injection, and highlights the cybersecurity threats aimed at an ever more complex and growing IT infrastructure.

Security operations specialists face many daily challenges when it comes to identifying the cloud security vulnerabilities in their systems.

In most cases, it is hard to precisely determine which assets should be scanned for potential cloud natice security vulnerabilities — whether a virtual machine hosted locally, in a public cloud provider, or a container image running in a Kubernetes pod. If the scanning procedures are not scheduled to run automatically, the engineers must run them manually. Or, if the scanners are agent-based, then the daemons, processes, and libraries must be periodically maintained on every machine.

In the first part of this post, I will introduce you to the architecture of VMClarity for detecting cloud security vulnerabilities of a wide range of types. Later, I will demonstrate how to use VMClarity to detect vulnerabilities, focusing on OpenSSH CVE-2023-38408.

Introducing VMClarity: A tool for detecting cloud security vulnerabilities

VMClarity is an open source tool for agentless detection and management of Virtual Machine Software Bill Of Materials (SBOM) and cloud security threats such as vulnerabilities, exploits, malware, rootkits, misconfigurations, and leaked secrets.

VMClarity has VM scanning capabilities for major cloud providers, including AWS, Azure, and GCP. Additionally, VMClarity can also be used to scan Docker assets.

Because VMClarity takes snapshots of your VMs and launches separate VMs based on these snapshots, there is no required software installation on the asset VMs you want to scan. Security scanners are deployed on the newly created VMs, which report findings to the OpenClarity API.

If you want to start a scan, you can do that via Web UI or VMClarity CLI. A scan can be configured to only run once, or recurringly like a cron job.

Demo

After a short introduction to the system, let us begin to identify some security issues on our VMs. In this example, we will be specifically looking for OpenSSH CVE-2023-38408.

Setting up the control plane

We will use AWS for this demo, so you need an AWS account to replicate.

VMClarity has a detailed guide on installing a CloudFormation stack on your AWS account. The result of the installation should be an external IPv4 address(EIP) that you can check on the Outputs tab of the CloudFormation page. Here is ours:

With this public IP address, you can access the web UI or submit HTTP requests to the API server from your terminal. Let’s open a terminal of your choice and open an SSH connection to the control plane with the following command.

ssh -N -L 8080:localhost:80 -i  "<Path to the SSH key specified during install>" ubuntu@<VmClarity SSH Address copied during install>

Now, we have the control plane running, and we can talk to it with the forwarded SSH connection.

Preparing a VM to be scanned

To find the OpenSSH security issue with VMClarity, there are two requirements:

• A vulnerable version of OpenSSH has to be installed on the VM
• You have to tag the VM for scanning

According to The Hacker News article, the issue was fixed in version 9.3p2, so any OpenSSH version before that is fine.

After checking that the version with the vulnerability of OpenSSH was installed on the VM, I added a tag with the Key scanconfig and the Value test to it.

Start the security vulnerability scan

You have two options to create and start a scan: from the web UI or the CLI. For our purposes in this post, we will use the web UI.

Our VMClarity web dashboard is available at http://localhost:8888. Navigate to Scans - Configurations tab.

You can start a new scan in this tab by clicking the New Scan Configuration button.

Let’s give the scan a proper name and select the earlier created VM for scan with an OData filter.

On the next page, let’s select the SBOM and Vulnerabilities scans to run. The latter scanner finds the CVEs on your VM, and the former generates output from which the vulnerabilities can be found.

On the Time configuration step, you can set when the scan should run; we set it to only run once for now.

On the last tab, we can set how many scans can run at a given time. The default is two, and that is fine for this example. Now let’s click on the Save button to start the scan.

Check the vulnerability scan results

Once the scan has finished running, we can check the results on the Findings tab on the left menu.

The screenshot above shows that we have found three vulnerable OpenSSH packages with an out-of-date version. If you click on a row in the table, you can check the details of the vulnerability with more helpful information and links.

Detecting cloud security vulnerabilities

VMClarity simplifies running multiple scanners on different workloads and allows security operations specialists to save valuable time identifying vulnerable assets.

If you have any questions regarding VMClarity and its usage, please do not hesitate to contact us on our Slack channel.