* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/)
* [Announcement](https://origin-researchcenter.paloaltonetworks.com/blog/category/announcement/)
* Automate Insecure OpenSSH...

# Automate Insecure OpenSSH vulnerability patching in Ubuntu AWS EC2 with Cortex Xpanse

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fautomate-insecure-openssh-vulnerability-patching-in-ubuntu-aws-ec2-with-cortex-xpanse%2F)  
[](https://twitter.com/share?text=Automate+Insecure+OpenSSH+vulnerability+patching+in+Ubuntu+AWS+EC2+with+Cortex+Xpanse&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fautomate-insecure-openssh-vulnerability-patching-in-ubuntu-aws-ec2-with-cortex-xpanse%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fautomate-insecure-openssh-vulnerability-patching-in-ubuntu-aws-ec2-with-cortex-xpanse%2F&title=Automate+Insecure+OpenSSH+vulnerability+patching+in+Ubuntu+AWS+EC2+with+Cortex+Xpanse&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/automate-insecure-openssh-vulnerability-patching-in-ubuntu-aws-ec2-with-cortex-xpanse/&ts=markdown)  
\[\](mailto:?subject=Automate Insecure OpenSSH vulnerability patching in Ubuntu AWS EC2 with Cortex Xpanse)  
Link copied  
By [Chaithanya Allu](https://www.paloaltonetworks.com/blog/author/chaithanya-allu/?ts=markdown "Posts by Chaithanya Allu")  
Jul 25, 2024  
5 minutes  
[Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[Active Response](https://www.paloaltonetworks.com/blog/tag/active-response/?ts=markdown)  
[Attack Surface Management](https://www.paloaltonetworks.com/blog/tag/attack-surface-management/?ts=markdown)  
[Automation](https://www.paloaltonetworks.com/blog/tag/automation/?ts=markdown)  
[Cortex Xpanse](https://www.paloaltonetworks.com/blog/tag/cortex-xpanse/?ts=markdown)

### **Automate Patching Vulnerable Software with Cortex Xpanse Active Response**

A new vulnerability in Open Secure Shell (OpenSSH), identified as Common Vulnerabilities and Exposures (CVE) CVE-2023-25136, poses a significant threat to Amazon Web Services Elastic Cloud Compute (AWS EC2) instances. If left unpatched, this vulnerability could leave your instances vulnerable to attack, potentially resulting in the loss of sensitive data or damage to your company's reputation.

OpenSSH is a set of secure networking tools that use the Secure Shell (SSH) protocol to provide secure communication over unsecured networks. It is an essential tool for remote server management, secure file transfers, and robust encryption. However, certain versions of OpenSSH, specifically those versions 9.8 and under, are vulnerable to the Insecure OpenSSH vulnerability, which is a serious security risk.

According to a recent [Unit 42 study](https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/), there are about 23 million instances of OpenSSH servers, including all versions. About one-third of those instances have outdated versions of OpenSSH and are vulnerable. To patch this, your organization has to spend resources, invest time, and do this over and over again with every new patchable version. This can be an onerous and daunting process if your environment has complex infrastructure with distributed systems.

As of the time of this writing, the insecure OpenSSH vulnerability affects versions 9.8 and under and allows remote code execution on your instances. These can be exploited by [CVE-2023-25136](https://nvd.nist.gov/vuln/detail/cve-2023-25136), [CVE-2021-28041](https://nvd.nist.gov/vuln/detail/CVE-2021-28041), [CVE-2021-41617](https://nvd.nist.gov/vuln/detail/CVE-2021-41617), and [CVE-2023-38408](https://nvd.nist.gov/vuln/detail/CVE-2023-38408).

Cortex Xpanse Active Response Module provides an automated vulnerability patching option that uses AWS Systems Manager to upgrade to patchable versions that can save you time and resources. Xpanse discovers all your Insecure OpenSSH exposures and through various integrations, it enriches necessary remediation information about your EC2 instances. It then proceeds to patch Insecure OpenSSH vulnerabilities in your AWS EC2 instances using AWS Systems Manager quickly. With Xpanse, you can rest assured that your infrastructure is secure and your business is protected even if some engineer stands up another insecure EC2 instance.

### **Setting Up integrations in Cortex Xpanse**

As a prerequisite, AWS Systems Manager agent (SSM agent) can be installed on EC2 instances, edge devices, on-premises servers, and virtual machines, which allows AWS Systems Manager to manage your AWS EC2 instances. Xpanse offers an [integration](https://xsoar.pan.dev/docs/reference/integrations/aws---system-manager) through the AWS Systems Manager pack. With this integration, you can easily set up and manage your AWS System Manager and access all of its powerful features. To get started, you can add your AWS region, access key, secret key, and any additional information that you need. Our team is here to support you every step of the way and help you get the most out of this powerful tool.
![Fig 1: AWS - Systems Manager integration configuration](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/07/word-image-325534-1.png)
Fig 1: AWS - Systems Manager integration configuration

### **Collecting and Enriching Information About Your EC2 Instance**

Once you have the integration set up and ready, Xpanse will pull information related to your EC2 instances, such as AWS Systems Manager agent status, platform type, platform name, and platform version. Xpanse enriches this key information so you can quickly determine whether you want to patch the vulnerable version through automated remediation, saving you time and effort. In addition, Xpanse verifies that the vulnerability has actually been remediated for you. For the automated patching to work, AWS Systems Manager integration should be enabled, attack surface rule ID is InsecureOpenSSH, AWS Systems Manager agent is active on your instance and the operating system is Linux Ubuntu.
![Fig 2: Systems identifiers captured via integrations](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/07/word-image-325534-2.png)
Fig 2: Systems identifiers captured via integrations

### **Remediation**

Once the enrichment step is completed, Xpanse will have enough understanding of the instance and determine if it can perform automated remediation for you. For insecure OpenSSH instances detected by Xpanse with AWS System Manager, Active Response will automatically remediate all Ubuntu instances.

Once the above criteria is matched, the following options can be shown on the screen. Your analyst can choose one of these options to proceed. Choosing Automated remediation by patching vulnerable software will proceed to patching the OpenSSH version.
![Fig 3: Remediation action options show in Cortex Xpanse UI](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/07/word-image-325534-3.png)
Fig 3: Remediation action options show in Cortex Xpanse UI

The automated remediation option uses the AWS Systems Manager integration to download the latest OpenSSH package from [OpenBSD](https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/) to your instance, compile the package and install it for you, ensuring that your systems are protected from potential attacks. With Xpanse, this ensures that you have the most up-to-date and secure version of OpenSSH on the EC2 instance.

By upgrading to a newer version of OpenSSH, any security flaws or vulnerabilities that exist in the older version are patched, ensuring that your systems are secure and protected from potential attacks.

### **Pre-remediation:**

![Fig 4: Insecure OpenSSH version before remediation](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/07/word-image-325534-4.png)
Fig 4: Insecure OpenSSH version before remediation

### **Post-remediation:**

![Fig 5: Patched OpenSSH version after remediation](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/07/word-image-325534-5.png)
Fig 5: Patched OpenSSH version after remediation

### **Conclusion**

In the current threat landscape, automated remediation is crucial to countering the increasing sophistication of cyberattacks. Palo Alto Networks continually seeks to improve its security solutions and existing automated remediation capabilities. Automation enables swift and efficient vulnerability detection and remediation, saving both time and resources.

Reference

* Cortex Xpanse AWS Systems Manager pack: [https://xsoar.pan.dev/docs/reference/integrations/aws---system-manager](https://xsoar.pan.dev/docs/reference/integrations/aws---system-manager)
* Remediation Playbook used: [https://xsoar.pan.dev/docs/reference/playbooks/aws---package-upgrade](https://xsoar.pan.dev/docs/reference/playbooks/aws---package-upgrade)
* AWS Systems Manager: [https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html)
* OpenBSD: [https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/](https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/)

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### MOVEit or Lose it: Securing assets from critical MOVEit flaw with Xpanse ASM](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/moveit-or-lose-it-securing-assets-from-critical-moveit-flaw-with-xpanse-asm/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Enable Proactive Incident Response With Adaptive Risk Scoring](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/enable-proactive-incident-response-with-adaptive-risk-scoring/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Cortex Xpanse: Two-Time Leader, Outperformer, Market-Beater](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/cortex-xpanse-only-leader-and-outperformer-in-gigaom-radar-asm-evaluation/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Discover Your VMware ESXi Exposures with Cortex Xpanse](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/discover-your-vmware-esxi-exposures-with-cortex-xpanse/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Find and Fix Your Unknown Risk With Active Attack Surface Management](https://origin-researchcenter.paloaltonetworks.com/blog/2022/12/active-attack-surface-management-with-cortex-xpanse/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Get Ahead of Chrome Changes with Cortex Xpanse](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/get-ahead-of-chrome-changes-with-cortex-xpanse/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language