Detect SSH authentication timeouts (CVE-2024-6387) (#1067)

crowdsecurity · Jul 1, 2024 · 75dc04c · 75dc04c
1 parent 58e94eb
commit 75dc04c
Show file tree

Hide file tree

Showing 13 changed files with 174 additions and 9 deletions.
diff --git a/.index.json b/.index.json
diff --git a/.tests/ssh-timeout/config.yaml b/.tests/ssh-timeout/config.yaml
@@ -0,0 +1,9 @@
+parsers:
+    - ./parsers/s01-parse/crowdsecurity/sshd-logs.yaml
+    - crowdsecurity/syslog-logs
+    - crowdsecurity/dateparse-enrich
+scenarios:
+    - ./scenarios/crowdsecurity/ssh-cve-2024-6387.yaml
+log_file: ssh-timeout.log
+log_type: syslog
+ignore_parsers: true
diff --git a/.tests/ssh-timeout/parser.assert b/.tests/ssh-timeout/parser.assert
diff --git a/.tests/ssh-timeout/scenario.assert b/.tests/ssh-timeout/scenario.assert
@@ -0,0 +1,37 @@
+len(results) == 1
+"192.168.9.212" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["192.168.9.212"].IP == "192.168.9.212"
+results[0].Overflow.Sources["192.168.9.212"].Range == ""
+results[0].Overflow.Sources["192.168.9.212"].GetScope() == "Ip"
+results[0].Overflow.Sources["192.168.9.212"].GetValue() == "192.168.9.212"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "ssh-timeout.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_auth_timeout"
+results[0].Overflow.Alert.Events[0].GetMeta("machine") == "usbkey"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "ssh"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.9.212"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-07-01T09:30:56Z"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "ssh-timeout.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "ssh_auth_timeout"
+results[0].Overflow.Alert.Events[1].GetMeta("machine") == "usbkey"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "ssh"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.9.212"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-07-01T09:31:26Z"
+results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "ssh-timeout.log"
+results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "ssh_auth_timeout"
+results[0].Overflow.Alert.Events[2].GetMeta("machine") == "usbkey"
+results[0].Overflow.Alert.Events[2].GetMeta("service") == "ssh"
+results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.9.212"
+results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-07-01T09:31:56Z"
+results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "ssh-timeout.log"
+results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "ssh_auth_timeout"
+results[0].Overflow.Alert.Events[3].GetMeta("machine") == "usbkey"
+results[0].Overflow.Alert.Events[3].GetMeta("service") == "ssh"
+results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.9.212"
+results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-07-01T09:32:26Z"
+results[0].Overflow.Alert.GetScenario() == "crowdsecurity/ssh-cve-2024-6387"
+results[0].Overflow.Alert.Remediation == true
+results[0].Overflow.Alert.GetEventsCount() == 4
diff --git a/.tests/ssh-timeout/ssh-timeout.log b/.tests/ssh-timeout/ssh-timeout.log
@@ -0,0 +1,4 @@
+Jul  1 09:30:56 usbkey sshd[8807]: fatal: Timeout before authentication for 192.168.9.212 port 47056
+Jul  1 09:31:26 usbkey sshd[8807]: fatal: Timeout before authentication for 192.168.9.212 port 47056
+Jul  1 09:31:56 usbkey sshd[8807]: fatal: Timeout before authentication for 192.168.9.212 port 47056
+Jul  1 09:32:26 usbkey sshd[8807]: fatal: Timeout before authentication for 192.168.9.212 port 47056
diff --git a/.tests/sshd-logs/parser.assert b/.tests/sshd-logs/parser.assert
@@ -1,5 +1,5 @@
 len(results) == 3
-len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 18
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 19
 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true
 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog"
 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "Invalid user pascal from 35.188.49.176 port 53502"
@@ -180,7 +180,17 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Meta["datasource_path"]
 results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Meta["datasource_type"] == "file"
 results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Meta["machine"] == "eve"
 results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Whitelisted == false
-len(results["s01-parse"]["crowdsecurity/sshd-logs"]) == 18
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Parsed["message"] == "fatal: Timeout before authentication for 192.168.9.212 port 47056"
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Parsed["pid"] == "8807"
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Parsed["timestamp"] == "Jul  1 09:30:56"
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Meta["datasource_path"] == "sshd-logs.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Meta["machine"] == "usbkey"
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Whitelisted == false
+len(results["s01-parse"]["crowdsecurity/sshd-logs"]) == 19
 results["s01-parse"]["crowdsecurity/sshd-logs"][0].Success == true
 results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["logsource"] == "syslog"
 results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["message"] == "Invalid user pascal from 35.188.49.176 port 53502"
@@ -450,4 +460,18 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Meta["service"] == "ssh"
 results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Meta["source_ip"] == "192.168.1.2"
 results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Meta["target_user"] == "root"
 results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Whitelisted == false
-len(results["success"][""]) == 0
+results["s01-parse"]["crowdsecurity/sshd-logs"][18].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][18].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][18].Evt.Parsed["message"] == "fatal: Timeout before authentication for 192.168.9.212 port 47056"
+results["s01-parse"]["crowdsecurity/sshd-logs"][18].Evt.Parsed["pid"] == "8807"
+results["s01-parse"]["crowdsecurity/sshd-logs"][18].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][18].Evt.Parsed["sshd_client_ip"] == "192.168.9.212"
+results["s01-parse"]["crowdsecurity/sshd-logs"][18].Evt.Parsed["timestamp"] == "Jul  1 09:30:56"
+results["s01-parse"]["crowdsecurity/sshd-logs"][18].Evt.Meta["datasource_path"] == "sshd-logs.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][18].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][18].Evt.Meta["log_type"] == "ssh_auth_timeout"
+results["s01-parse"]["crowdsecurity/sshd-logs"][18].Evt.Meta["machine"] == "usbkey"
+results["s01-parse"]["crowdsecurity/sshd-logs"][18].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][18].Evt.Meta["source_ip"] == "192.168.9.212"
+results["s01-parse"]["crowdsecurity/sshd-logs"][18].Evt.Whitelisted == false
+len(results["success"][""]) == 0
diff --git a/.tests/sshd-logs/sshd-logs.log b/.tests/sshd-logs/sshd-logs.log
@@ -16,3 +16,4 @@ Jul  7 06:11:48 node1 sshd[1625360]: Unable to negotiate with 123.123.123.123 po
 Feb 8 17:15:01 hostname sshd[1478159]: Connection reset by authenticating user root 80.94.92.63 port 49115 [preauth]
 2023-11-14T00:20:42.738197+01:00 myserver sshd[1112652]: User root from 192.168.1.1 not allowed because not listed in AllowUsers
 Apr  6 18:51:41 eve sshd[2784424]: Failed password for invalid user root from 192.168.1.2 port 51182 ssh2
+Jul  1 09:30:56 usbkey sshd[8807]: fatal: Timeout before authentication for 192.168.9.212 port 47056
diff --git a/collections/crowdsecurity/sshd.yaml b/collections/crowdsecurity/sshd.yaml
@@ -3,6 +3,7 @@ parsers:
 scenarios:
   - crowdsecurity/ssh-bf
   - crowdsecurity/ssh-slow-bf
+  - crowdsecurity/ssh-cve-2024-6387
 description: "sshd support : parser and brute-force detection"
 contexts:
   - crowdsecurity/bf_base

diff --git a/parsers/s01-parse/crowdsecurity/sshd-logs.yaml b/parsers/s01-parse/crowdsecurity/sshd-logs.yaml
@@ -16,8 +16,9 @@ pattern_syntax:
   #following: https://github.com/crowdsecurity/crowdsec/issues/1201 - some scanners behave differently and trigger this one
   SSHD_PREAUTH_AUTHENTICATING_USER_ALT: 'Disconnected from (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]'
   SSHD_BAD_KEY_NEGOTIATION: 'Unable to negotiate with %{IP_WORKAROUND:sshd_client_ip} port \d+: no matching (host key type|key exchange method|MAC) found.'
-# in case there are blocked by /etc/ssh/sshd_config AllowUsers xx yy
+# in case they are blocked by /etc/ssh/sshd_config AllowUsers xx yy
   SSHD_NOT_ALLOWED_USER: 'User %{USERNAME:sshd_invalid_user}? from %{IP_WORKAROUND:sshd_client_ip}( port \d+)? not allowed because not listed in AllowUsers'
+  SSHD_AUTH_TIMEOUT: 'Timeout before authentication for %{IP_WORKAROUND:sshd_client_ip}( port \d+)?'
 nodes:
   - grok:
       name: "SSHD_FAIL"
@@ -103,6 +104,12 @@ nodes:
       statics:
         - meta: log_type
           value: ssh_bad_keyexchange
+  - grok:
+      name: "SSHD_AUTH_TIMEOUT"
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: ssh_auth_timeout
 statics:
     - meta: service
       value: ssh

diff --git a/scenarios/crowdsecurity/ssh-cve-2024-6387.md b/scenarios/crowdsecurity/ssh-cve-2024-6387.md
@@ -0,0 +1,2 @@
+Detect exploitation attempts of CVE-2024-6387
+
diff --git a/scenarios/crowdsecurity/ssh-cve-2024-6387.yaml b/scenarios/crowdsecurity/ssh-cve-2024-6387.yaml
@@ -0,0 +1,20 @@
+# ssh bruteforce
+type: leaky
+name: crowdsecurity/ssh-cve-2024-6387
+description: "Detect exploitation attempt of CVE-2024-6387"
+filter: "evt.Meta.log_type == 'ssh_auth_timeout'"
+leakspeed: "180s"
+capacity: 3
+groupby: evt.Meta.source_ip
+blackhole: 1m
+reprocess: true
+labels:
+  service: ssh
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1190
+    - cve.CVE-2024-6387
+  label: "SSH CVE-2024-6387"
+  behavior: "ssh:exploit"
+  remediation: true
diff --git a/taxonomy/behaviors.json b/taxonomy/behaviors.json
@@ -94,6 +94,11 @@
         "label": "SSH Bruteforce",
         "name": "ssh:bruteforce"
     },
+    "ssh:exploit": {
+        "description": "IP has been reported for attempting to exploit a vulnerability in SSH.",
+        "label": "SSH Exploit",
+        "name": "ssh:exploit" 
+    },
     "tcp:scan": {
         "description": "IP has been reported for performing TCP port scanning.",
         "label": "TCP Scan",

diff --git a/taxonomy/scenarios.json b/taxonomy/scenarios.json
@@ -3970,6 +3970,22 @@
     "cti": true,
     "service": "ssh"
   },
+  "crowdsecurity/ssh-cve-2024-6387": {
+    "name": "crowdsecurity/ssh-cve-2024-6387",
+    "description": "Detect exploitation attempt of CVE-2024-6387",
+    "label": "SSH CVE-2024-6387",
+    "behaviors": [],
+    "mitre_attacks": [
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "ssh",
+    "cves": [
+      "CVE-2024-6387"
+    ]
+  },
   "crowdsecurity/ssh-slow-bf": {
     "name": "crowdsecurity/ssh-slow-bf",
     "description": "Detect slow ssh bruteforce",
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Detect exploitation attempts of CVE-2024-6387