The following enhancements and improvements are now available to Censys ASM and Search customers.
Censys ASM
- Added risks for the following:
- RegreSSHion RCE vulnerability in OpenSSH Server (CVE 2024-6387)
- Exposed Polyfill endpoints.
- More information about finding at-risk assets related to these issues is described below.
Rapid Response
The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities:
- regreSSHion RCE vulnerability in OpenSSH Server (CVE 2024-6387)
- The following queries can be leveraged to identify all Censys-visible public-facing OpenSSH instances.
- Censys Search query: services: (software.product: openssh and software.version: 8.5 to 9.8} and not ssh.endpoint_id.comment: {“Ubuntu-3ubuntu0.10”, “Ubuntu-1ubuntu3.6”, “Ubuntu-3ubuntu13.3”, “Debian-5+deb11u3”, “Debian-2+deb12u3”, “FreeBSD-20240701”})
- Censys ASM query: host.services.software: (product: “openssh” and version: :8.5 to 9.8})
- Censys ASM Risk query: risks.name=”Vulnerable OpenSSH sCVE-2024-6387]”
- The following queries can be leveraged to identify all Censys-visible public-facing OpenSSH instances.
- Polyfill.io supply chain attack
- Detection with Censys
- Censys Search query for exposed hosts referencing the malicious polyfille.]io domain: services.http.response.body:{`https://cdn.polyfill.io`, `https://cdn.polyfill.com`}
- Censys Search query for exposed hosts referencing one of the additional potentially associated domains: services.http.response.body: {`cdn.bootcdn.net`, `cdn.bootcss.com`, `cdn.staticfile.net`, `cdn.staticfile.org`}
- Censys ASM query for exposed hosts referencing the malicious polyfillr.]io domain: host.services.http.response.body:{`https://cdn.polyfill.io`, `https://cdn.polyfill.com`} or web_entity.instances.http.response.body:{`https://cdn.polyfill.io`, `https://cdn.polyfill.com`}
- Detection with Censys
- Censys ASM query for exposed hosts referencing one of the additional potentially associated domains: host.services.http.response.body:{`cdn.bootcdn.net`, `cdn.bootcss.com`, `cdn.staticfile.net`, `cdn.staticfile.org`} or web_entity.instances.http.response.body:{`cdn.bootcdn.net`, `cdn.bootcss.com`, `cdn.staticfile.net`, `cdn.staticfile.org`}
New Fingerprints
Added the following fingerprints:
| Type | Name | Category | Description | Censys Search Query |
|---|---|---|---|---|
| software | NetSupportManager RAT | C2 | A NetSupportManager remote access trojan (RAT) server. | services.software:(vendor='NetSupportManager RAT' and product='NetSupportManager RAT') |
| software | Poseidon C2 | C2 | A Poseidon C2 Server. | services.software:(vendor='Poseidon' and product='Poseidon') |
| software | Rod Stealer C2 | C2 | A ROD Stealer C2 Server. | services.software:(vendor='ROD Stealer' and product='ROD Stealer') |
| software | Saphira Botnet C2 | C2 | A Saphira Botnet Server. | services.software:(vendor='Saphira BotNet' and product='Saphira BotNet') |
| software | XWiki | Open Source Software | XWiki is an open-source wiki software platform. | services.software:(vendor='XWiki' and product='XWiki') |
Added the following risk fingerprints to ASM:
| Type | Name | Category and Severity | Description | Censys ASM Query |
|---|---|---|---|---|
| risk | Exposed Polyfill Supply Chain Attack Endpoint | Rapid Response (CVE) - Medium | This service is embedding code that references the compromised cdn.polyfille.]io endpoint or related suspicious domains, potentially exposing users to malicious redirects and malware. Note that as of June 27, 2024, the malicious domain is no longer active. | risks.name="Exposed Polyfill Supply Chain Attack Endpoint" |
| risk | Vulnerable OpenSSH CVE-2024-6387 | Rapid Response (CVE) - Critical | This service is running a vulnerable version of OpenSSH susceptible to CVE-2024-6387 which is a reoccurrence of CVE-2006-5051. | risks.name="Vulnerable OpenSSH rCVE-2024-6387]" |
