Rocky Linux 9系统 OpenSSH CVE-2024-6387 漏洞修复
- 1、漏洞修复
- 2、修复思路
- 3、修复方案
- 3.1、方案一
- 3.2、方案二
- 4、总结
- 5、参考
1、漏洞修复
CVE-2024-6387:regreSSHion:OpenSSH 服务器中的远程代码执行(RCE),至少在基于 glibc 的 Linux 系统上可被利用。
根据 oss-security - CVE-2024-6387: RCE in OpenSSH’s server, on glibc-based Linux systems 的发现并由 oss-security - Announce: OpenSSH 9.8 released 上游总结,在 Portable OpenSSH 版本 8.5p1 至 9.7p1(含)中,sshd(8) 存在一个严重漏洞,可能允许以 root 权限执行任意代码。
在 32 位的 Linux/glibc 系统上,成功利用该漏洞已被证明,且需要启用地址空间布局随机化(ASLR)。在实验室条件下,攻击平均需要 6-8 小时的持续连接,直到服务器达到最大连接数为止。目前尚未证明在 64 位系统上可以利用该漏洞,但认为这可能是可行的。这些攻击很有可能会得到进一步改进。
公开披露日期: 2024年7月1日
影响范围: Rocky Linux 9
**修复版本:**8.7p1-38.el9_4.security.0.5 2024 年 7 月 1 日可用。
不受影响: Rocky Linux 8
2、修复思路
安装 8.7p1-38.el9_4.security.0.5 即可。
3、修复方案
方案一采用在线方式修复,方案二采用离线方式修复。根据自身的网络环境采用对应的方式进行修复
3.1、方案一
# 查看当前版本
[root@localhost ~]# rpm -qa | grep openssh
openssh-8.7p1-38.el9.x86_64
openssh-clients-8.7p1-38.el9.x86_64
openssh-server-8.7p1-38.el9.x86_64# 安装更新源
[root@localhost ~]# dnf install -y rocky-release-security
Last metadata expiration check: 1:16:01 ago on Wed 03 Jul 2024 09:08:38 AM CST.
Dependencies resolved.
================================================================================================================================================================================================================================================================Package Architecture Version Repository Size
================================================================================================================================================================================================================================================================
Installing:rocky-release-security noarch 9-4.el9 extras 9.5 kTransaction Summary
================================================================================================================================================================================================================================================================
Install 1 PackageTotal download size: 9.5 k
Installed size: 3.2 k
Downloading Packages:
rocky-release-security-9-4.el9.noarch.rpm 38 kB/s | 9.5 kB 00:00
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 38 kB/s | 9.5 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transactionPreparing : 1/1 Installing : rocky-release-security-9-4.el9.noarch 1/1 Running scriptlet: rocky-release-security-9-4.el9.noarch 1/1 Verifying : rocky-release-security-9-4.el9.noarch 1/1 Installed:rocky-release-security-9-4.el9.noarch Complete!# 禁用 SIG/Security security-common repo
[root@localhost ~]# dnf config-manager --disable security-common# 升级 openssh
[root@localhost ~]# dnf --enablerepo=security-common -y update openssh\*
Rocky Linux 9 - SIG Security Common 35 kB/s | 117 kB 00:03
Last metadata expiration check: 0:00:01 ago on Wed 03 Jul 2024 10:25:04 AM CST.
Dependencies resolved.
================================================================================================================================================================================================================================================================Package Architecture Version Repository Size
================================================================================================================================================================================================================================================================
Upgrading:openssh x86_64 8.7p1-38.el9_4.security.0.5 security-common 453 kopenssh-clients x86_64 8.7p1-38.el9_4.security.0.5 security-common 693 kopenssh-server x86_64 8.7p1-38.el9_4.security.0.5 security-common 435 kTransaction Summary
================================================================================================================================================================================================================================================================
Upgrade 3 PackagesTotal download size: 1.5 M
Downloading Packages:
(1/3): openssh-server-8.7p1-38.el9_4.security.0.5.x86_64.rpm 122 kB/s | 435 kB 00:03
(2/3): openssh-8.7p1-38.el9_4.security.0.5.x86_64.rpm 125 kB/s | 453 kB 00:03
(3/3): openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64.rpm 171 kB/s | 693 kB 00:04
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 331 kB/s | 1.5 MB 00:04
Rocky Linux 9 - SIG Security Common 1.6 MB/s | 1.7 kB 00:00
Importing GPG key 0x0FE8D526:Userid : "Rocky Linux 9 SIGs - Security <releng@rockylinux.org>"Fingerprint: 23DC 35EB E743 BAB0 CED2 1D20 8D79 B737 0FE8 D526From : /etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-SIG-Security
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transactionPreparing : 1/1 Running scriptlet: openssh-8.7p1-38.el9_4.security.0.5.x86_64 1/6 Upgrading : openssh-8.7p1-38.el9_4.security.0.5.x86_64 1/6 Running scriptlet: openssh-server-8.7p1-38.el9_4.security.0.5.x86_64 2/6 Upgrading : openssh-server-8.7p1-38.el9_4.security.0.5.x86_64 2/6 Running scriptlet: openssh-server-8.7p1-38.el9_4.security.0.5.x86_64 2/6 Upgrading : openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64 3/6 Running scriptlet: openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64 3/6 Running scriptlet: openssh-clients-8.7p1-38.el9.x86_64 4/6 Cleanup : openssh-clients-8.7p1-38.el9.x86_64 4/6 Running scriptlet: openssh-server-8.7p1-38.el9.x86_64 5/6 Cleanup : openssh-server-8.7p1-38.el9.x86_64 5/6 Running scriptlet: openssh-server-8.7p1-38.el9.x86_64 5/6 Cleanup : openssh-8.7p1-38.el9.x86_64 6/6 Running scriptlet: openssh-8.7p1-38.el9.x86_64 6/6 Verifying : openssh-server-8.7p1-38.el9_4.security.0.5.x86_64 1/6 Verifying : openssh-server-8.7p1-38.el9.x86_64 2/6 Verifying : openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64 3/6 Verifying : openssh-clients-8.7p1-38.el9.x86_64 4/6 Verifying : openssh-8.7p1-38.el9_4.security.0.5.x86_64 5/6 Verifying : openssh-8.7p1-38.el9.x86_64 6/6 Upgraded:openssh-8.7p1-38.el9_4.security.0.5.x86_64 openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64 openssh-server-8.7p1-38.el9_4.security.0.5.x86_64 Complete!# 确保 openssh-8.7p1-38.el9_4.security.0.5 已安装
[root@localhost ~]# rpm -q openssh
openssh-8.7p1-38.el9_4.security.0.5.x86_64[root@localhost ~]# rpm -qa | grep openssh
openssh-8.7p1-38.el9_4.security.0.5.x86_64
openssh-server-8.7p1-38.el9_4.security.0.5.x86_64
openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64# 因为安装过程中会自动重启 sshd 服务,所以安装完后无需再手动重启服务
[root@localhost ~]# systemctl status sshd
● sshd.service - OpenSSH server daemonLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: enabled)Active: active (running) since Wed 2024-07-03 10:18:42 CST; 34s ago # 重启时间Docs: man:sshd(8)man:sshd_config(5)Main PID: 64456 (sshd)Tasks: 1 (limit: 48933)Memory: 1.1MCPU: 14msCGroup: /system.slice/sshd.service└─64456 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"Jul 03 10:18:42 localhost systemd[1]: Starting OpenSSH server daemon...
Jul 03 10:18:42 localhost sshd[64456]: Server listening on 0.0.0.0 port 22.
Jul 03 10:18:42 localhost systemd[1]: Started OpenSSH server daemon.
3.2、方案二
下载需要升级的安装包
编制安装脚本。
#!/bin/bash
set -e
echo -e "=======================================温馨提醒========================================="
echo -e "=== 1.本次安装升级OpenSSh9.8将同时升级OpenSSL版本至3.2.0,务必确保应用及产品兼容性。 ==="
echo -e "=== 2.建议提供其他能够链接至服务器的工具如Telnet防止升级失败导致服务器无法登录。 ==="
echo -e "=== 3.默认配置文件为/etc/ssh/sshd_config,若为自定义路径请修改脚本中SSH_CONFIG路径 ==="
echo -e "========================================================================================"function OpenSSH_update() {yum localinstall -y openssh-*#cp -a /etc/ssh/ssh_host_* /tmp#rm -rf /etc/ssh/ssh_host_*#默认配置文件SSH_CONFIG=/etc/ssh/sshd_configCOUNTERS=0while [ ! -f ${SSH_CONFIG} ] && [ ${COUNTERS} -lt 3 ]; doecho -e "默认配置文件${SSH_CONFIG}不存在,请确认sshd_config配置文件位置。"read -p "请输入sshd_config文件路径,(例:/etc/ssh/sshd_config) :" SSH_CONFIGCOUNTERS=$((COUNTERS+1))doneif [ ${COUNTERS} -eq 3 ]; thenecho "已经达到最大重试次数,升级脚本自动退出,请确认配置文件路径后在次运行脚本。"exit 1fiecho -e "默认配置文件为${SSH_CONFIG}"#备份配置文件到/tmpcp -a ${SSH_CONFIG} /tmp#表示指定将接受用于基于主机的身份验证的密钥类型。if ! grep -q '^PubkeyAcceptedAlgorithms' "${SSH_CONFIG}"; thensed -i '$a\PubkeyAcceptedAlgorithms +ssh-rsa' "${SSH_CONFIG}"fi# 表示指定公钥认证允许的密钥类型。if ! grep -q '^PubkeyAcceptedKeyTypes' "${SSH_CONFIG}"; thensed -i '$a\PubkeyAcceptedKeyTypes +ssh-rsa' "${SSH_CONFIG}"fi# 表示指定服务器提供的主机密钥算法。if ! grep -q '^HostKeyAlgorithms' "${SSH_CONFIG}"; thensed -i '$a\HostKeyAlgorithms +ssh-rsa' "${SSH_CONFIG}"fi#PubkeyAcceptedKeyTypes +ssh-rsa
#HostKeyAlgorithms +ssh-rsaecho -e "重启sshd服务......"systemctl restart sshdif [ -n "$(systemctl status sshd | grep "active (running)")" ]; then echo "OpenSSH 升级成功"exit 0else echo "重启sshd服务异常,请手动检查错误信息(systemctl status sshd -l)"exit 1fi}function main() {while truedoread -p "请确认是否继续升级操作(Y/N)" yncase ${yn} in[Yy] ) echo "开始升级......"; OpenSSH_update;;[Nn] ) echo "退出"; exit 0; break;; * ) echo "请输入Yy/Nn";;esacdone
}main将安装包和脚本上传至服务器,运行脚本。
4、总结
互联网接入环境中推荐方案一,离线情况下使用方案二操作。
5、参考
Rocky Linux 9 & RedHat 系 OpenSSH CVE-2024-6387 漏洞快速修复
