Last month, software vendors and news outlets widely publicized a new OpenSSH vulnerability – CVE-2023-38408. The vulnerability exposes Linux-based systems to remote command injection, and highlights the cybersecurity threats aimed at an ever more complex and growing IT infrastructure.
Security operations specialists face many daily challenges when it comes to identifying the vulnerabilities in their systems.
In most cases, it is hard to precisely determine which assets should be scanned for potential security vulnerabilities – whether a virtual machine hosted locally, in a public cloud provider, or a container image running in a Kubernetes pod. If the scanning procedures are not scheduled to run automatically, the engineers must run them manually. Or, if the scanners are agent-based, then the daemons, processes, and libraries must be periodically maintained on every machine.
VMClarity is an open source tool for agentless detection and management of Virtual Machine Software Bill Of Materials (SBOM) and security threats such as vulnerabilities, exploits, malware, rootkits, misconfigurations, and leaked secrets.
Because VMClarity takes snapshots of your VMs and launches separate VMs based on these snapshots, there is no required software installation on the asset VMs you want to scan. A set of security scanners are deployed on the newly created VMs, which report their findings to the OpenClarity API.
If you want to start a scan, you can do that via Web UI or VMClarity CLI. A scan can be configured to only run once, or recurringly like a cron job.
After a short introduction to the system, let us begin to identify some security issues on our VMs. In this example, we will be specifically looking for OpenSSH CVE-2023-38408.
We will use AWS for this demo, so you will need an AWS account to replicate.
VMClarity has a detailed guide on installing a CloudFormation stack on your AWS account. The result of the installation should be an external IPv4 address(EIP) that you can check on the Outputs tab of the CloudFormation page. Here is ours:
With this public IP address, you can access the web UI or submit HTTP requests to the API server from your terminal. Let’s open a terminal of your choice and open an SSH connection to the control plane with the following command.
ssh -N -L 8080:localhost:80 -i "<Path to the SSH key specified during install>" ubuntu@<VmClarity SSH Address copied during install>
Now, we have the control plane running, and we can talk to it with the forwarded SSH connection.
In order to find the OpenSSH security issue with VMClarity, there are two requirements:
After checking that the version with the vulnerability of OpenSSH was installed on the VM, I added a tag with the Key
scanconfig and the Value
test to it.
You have two options to create and start a scan: from the web UI or the CLI. For our purposes in this post, we will use the web UI.
Our VMClarity web dashboard is available at http://localhost:8888. Navigate to Scans – Configurations tab.
You can start a new scan in this tab by clicking the New scan configuration button.
Let’s give the scan a proper name and select the earlier created VM for scan with an OData filter.
On the next page, let’s select the SBOM and Vulnerabilities scans to run. The latter scanner finds the CVEs on your VM, and the former generates output from which the vulnerabilities can be found.
On the Time configuration step, you can set when the scan should run; we set it to only run once for now.
On the last tab, we can set how many scans can run at a given time. The default is two, and that is fine for this example. Now let’s click on the Save button to start the scan.
Once the scan has finished running, we can check the results on the Findings tab on the left menu.
The screenshot above shows that we have found three vulnerable OpenSSH packages with an out-of-date version. If you click on a row in the table, you can check the details of the vulnerability with more helpful information and links.
VMClarity simplifies running multiple scanners on different workloads and allows security operations specialists to save valuable time identifying vulnerable assets.