🐾 - 🔔 Massive Key Exchange Init responses from SSH server - Possible OpenSSH server regreSSHion - CVE-2024-6387 attempted exploitation 🥷 - T1210

SID: 3321318Rev: 170 views
Sourcepawpatrules
CreatedAugust 2, 2024
UpdatedAugust 3, 2024
Classificationtargeted-activity
alert ssh any any -> any any (msg:"🐾 - 🔔 Massive Key Exchange Init responses from SSH server - Possible OpenSSH server regreSSHion - CVE-2024-6387 attempted exploitation 🥷 - T1210"; flow:to_client, stateless; threshold:type threshold, track by_src, count 50, seconds 10; content:"|00 00|"; startswith; content:"|14|"; distance:3; content:"|00 00 00 00 00 00 00|"; fast_pattern; endswith; reference:url,https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt; reference:url,https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server; reference:url,https://www.openssh.com/txt/release-9.8; target:src_ip; metadata:created_at 2024_08_03, updated_at 2024_08_03, signature_severity Major, attack_target Server_Endpoint, affected_product Linux mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_of_Remote_Services; sid:3321318; rev:1; classtype:targeted-activity;)

References

urlhttps://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
urlhttps://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
urlhttps://www.openssh.com/txt/release-9.8

Metadata

created at2024_08_03
updated at2024_08_03
signature severityMajor
attack targetServer_Endpoint
affected productLinux mitre_tactic_id TA0008
mitre tactic nameLateral_Movement
mitre technique idT1210
mitre technique nameExploitation_of_Remote_Services

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!