Abstract
Keeping server software patched and up-to-date is a never-ending struggle for system administrators that is crucial for security. Nevertheless, we know little about how well or how consistently software updates are applied over time across the Internet. We shed light on software update behavior on publicly addressable networks by utilizing Internet-wide scans of OpenSSH banners. We primarily focus on OpenSSH banners which contain patch-level information in order to map accurate release dates. We augment this view by tracking which software security backports fix vulnerabilities in older OpenSSH versions. We find that the availability of backports, not CVE announcements or upstream software updates, trigger rapid updates. Unfortunately, we also determine that the lag in publishing backports (if they are published at all) combined with the steady cadence of new vulnerability reports ensures that most of the time, the vast majority of machines are vulnerable to at least one CVE. Additionally, we observe that major cloud hosting providers are consistently faster to apply patches.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
BigQuery: Cloud Data Warehouse. https://cloud.google.com/bigquery
Censys. https://censys.io/
Censys Opt Out. https://support.censys.io/hc/en-us/articles/360043177092-Opt-Out-of-Scanning
GeoIP® Databases & Services: Industry Leading IP Intelligence—xMind. https://www.maxmind.com/en/geoip2-services-and-databases
GitHub. https://github.com/
Launchpad. https://launchpad.net/index.html
Launchpad: Publishing history: Openssh package : Ubuntu. https://launchpad.net/ubuntu/+source/openssh/+publishinghistory
Orbis—Compare Private Company Data—Bureau van Dijk. https://www.bvdinfo.com/en-us/our-products/data/international/orbis
What is backporting, and how does it apply to RHEL and other Red Hat products? https://www.redhat.com/en/blog/what-backporting-and-how-does-it-apply-rhel-and-other-red-hat-products
Demir, N., Urban, T., Wittek, K., Pohlmann, N.: Our (in)secure web: understanding update behavior of websites and its impact on security. In: Hohlfeld, O., Lutu, A., Levin, D. (eds.) PAM 2021. LNCS, vol. 12671, pp. 76–92. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-72582-2_5
Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., Halderman, J.A.: A search engine backed by internet-wide scanning. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS ’15, pp. 542–553. ACM Press, Denver (2015). http://dl.acm.org/citation.cfm?doid=2810103.2813703
Durumeric, Z., et al.: The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement Conference, IMC ’14, pp. 475–488. Association for Computing Machinery, New York (2014). https://doi.org/10.1145/2663716.2663755
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: 22nd USENIX Security Symposium (USENIX Security 13). USENIX Association, Washington, D.C. (2013). https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/durumeric
Li, F., Paxson, V.: A large-scale empirical study of security patches. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, pp. 2201–2215, Association for Computing Machinery, New York (2017). https://doi.org/10.1145/3133956.3134072
Li, F., Rogers, L., Mathur, A., Malkin, N., Chetty, M.: Keepers of the machines: examining how system administrators manage software updates, p. 16 (2019)
O’Hare, J., Macfarlane, R., Lo, O.: Identifying vulnerabilities using internet-wide scanning data. In: 2019 IEEE 12th International Conference on Global Security, Safety and Sustainability (ICGS3), pp. 1–10. IEEE, London, United Kingdom (2019). https://doi.org/10.1109/ICGS3.2019.8688018. https://ieeexplore.ieee.org/document/8688018/
Tiefenau, C., Häring, M., Krombholz, K., von Zezschwitz, E.: Security, availability, and multiple information sources: exploring update behavior of system administrators. In: Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), pp. 239–258 (2020). https://www.usenix.org/conference/soups2020/presentation/tiefenau
Acknowledgments
This research was supported by the Air Force Research Laboratory (AFRL) under agreement number FA8750-19-1-0152. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of AFRL or the U.S. Government.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix A Plots of Ubuntu IPs Affected by CVEs
Appendix A Plots of Ubuntu IPs Affected by CVEs
Below are the plots (similar to Fig. 4 of vulnerable Ubuntu IPs per CVE within the October 2015 through December 2019 measurement period ordered sequentially by vulnerability publication date. Plots with a darker background do not have a backport on Ubuntu.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
West, J.C., Moore, T. (2022). Longitudinal Study of Internet-Facing OpenSSH Update Patterns. In: Hohlfeld, O., Moura, G., Pelsser, C. (eds) Passive and Active Measurement. PAM 2022. Lecture Notes in Computer Science, vol 13210. Springer, Cham. https://doi.org/10.1007/978-3-030-98785-5_30
Download citation
DOI: https://doi.org/10.1007/978-3-030-98785-5_30
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-98784-8
Online ISBN: 978-3-030-98785-5
eBook Packages: Computer ScienceComputer Science (R0)