Outshift Logo

PRODUCT

5 min read

Blog thumbnail
Published on 09/19/2023
Last updated on 03/21/2024

Detecting vulnerabilities with VMClarity

Share

Last month, software vendors and news outlets widely publicized a new OpenSSH vulnerability - CVE-2023-38408. The vulnerability exposes Linux-based systems to remote command injection, and highlights the cybersecurity threats aimed at an ever more complex and growing IT infrastructure.

Security operations specialists face many daily challenges when it comes to identifying the vulnerabilities in their systems.

In most cases, it is hard to precisely determine which assets should be scanned for potential security vulnerabilities - whether a virtual machine hosted locally, in a public cloud provider, or a container image running in a Kubernetes pod. If the scanning procedures are not scheduled to run automatically, the engineers must run them manually. Or, if the scanners are agent-based, then the daemons, processes, and libraries must be periodically maintained on every machine.

In the first part of this post, I will to introduce you to the architecture of VMClarity. Later, I will demonstrate how to use VMClarity to detect vulnerabilities, focusing on OpenSSH CVE-2023-38408.

Introducing VMClarity

VMClarity is an open source tool for agentless detection and management of Virtual Machine Software Bill Of Materials (SBOM) and security threats such as vulnerabilities, exploits, malware, rootkits, misconfigurations, and leaked secrets.

VMClarity architecture

VMClarity has VM scanning capabilities for major cloud providers, including AWS, Azure, and GCP. Additionally, VMClarity can also be used to scan Docker assets.

Because VMClarity takes snapshots of your VMs and launches separate VMs based on these snapshots, there is no required software installation on the asset VMs you want to scan. A set of security scanners are deployed on the newly created VMs, which report their findings to the OpenClarity API.

If you want to start a scan, you can do that via Web UI or VMClarity CLI. A scan can be configured to only run once, or recurringly like a cron job.

Demo

After a short introduction to the system, let us begin to identify some security issues on our VMs. In this example, we will be specifically looking for OpenSSH CVE-2023-38408.

Setting up the control plane

We will use AWS for this demo, so you will need an AWS account to replicate.

VMClarity has a detailed guide on installing a CloudFormation stack on your AWS account. The result of the installation should be an external IPv4 address(EIP) that you can check on the Outputs tab of the CloudFormation page. Here is ours:

VMClarity CloudFormation

With this public IP address, you can access the web UI or submit HTTP requests to the API server from your terminal. Let’s open a terminal of your choice and open an SSH connection to the control plane with the following command.

ssh -N -L 8080:localhost:80 -i  "<Path to the SSH key specified during install>" ubuntu@<VmClarity SSH Address copied during install>

Now, we have the control plane running, and we can talk to it with the forwarded SSH connection.

Preparing a VM to be scanned

In order to find the OpenSSH security issue with VMClarity, there are two requirements:

  • A vulnerable version of OpenSSH has to be installed on the VM
  • You have to tag the VM for scanning

According to The Hacker News article, the issue was fixed in version 9.3p2, so any OpenSSH version before that is fine.

The OpenSSH vulnerability

After checking that the version with the vulnerability of OpenSSH was installed on the VM, I added a tag with the Key scanconfig and the Value test to it.

VMClarity - add tag

Start the scan

You have two options to create and start a scan: from the web UI or the CLI. For our purposes in this post, we will use the web UI.

Our VMClarity web dashboard is available at http://localhost:8888. Navigate to Scans - Configurations tab.

VMClarity - start a scan

You can start a new scan in this tab by clicking the New scan configuration button.

Let’s give the scan a proper name and select the earlier created VM for scan with an OData filter.

On the next page, let’s select the SBOM and Vulnerabilities scans to run. The latter scanner finds the CVEs on your VM, and the former generates output from which the vulnerabilities can be found.

On the Time configuration step, you can set when the scan should run; we set it to only run once for now.

On the last tab, we can set how many scans can run at a given time. The default is two, and that is fine for this example. Now let’s click on the Save button to start the scan.

Check the results

Once the scan has finished running, we can check the results on the Findings tab on the left menu.

VMClarity - scan results

The screenshot above shows that we have found three vulnerable OpenSSH packages with an out-of-date version. If you click on a row in the table, you can check the details of the vulnerability with more helpful information and links.

VMClarity - details of the scan

Summary

VMClarity simplifies running multiple scanners on different workloads and allows security operations specialists to save valuable time identifying vulnerable assets.

If you have any questions regarding VMClarity and its usage, please do not hesitate to contact us on our Slack channel.

Subscribe card background
Subscribe
Subscribe to
the Shift!

Get emerging insights on emerging technology straight to your inbox.

Unlocking Multi-Cloud Security: Panoptica's Graph-Based Approach

Discover why security teams rely on Panoptica's graph-based technology to navigate and prioritize risks across multi-cloud landscapes, enhancing accuracy and resilience in safeguarding diverse ecosystems.

thumbnail
I
Subscribe
Subscribe
 to
the Shift
!
Get
emerging insights
on emerging technology straight to your inbox.

The Shift keeps you at the forefront of cloud native modern applications, application security, generative AI, quantum computing, and other groundbreaking innovations that are shaping the future of technology.

Outshift Background