漏洞描述
OpenSSH是一套基于安全外壳(SSH)协议的安全网络实用程序,它可提供加密功能保护隐私和文件传输的安全,使其成为远程服务器管理和安全数据通信的首选工具。
近日,安天CERT监测发现OpenSSH修复了一个远程代码执行漏洞(CVE-2024-6387),该漏洞是由于OpenSSH服务器(sshd)中的信号处理程序竞争问题导致,未经身份验证的攻击者可以利用此漏洞在Linux系统上以root身份执行任意代码,目前该漏洞技术细节(含PoC)已在互联网上公开。且有近千万个OpenSSH实例在互联网公开,建议受漏洞影响的用户及时升级至最新版本修复该漏洞,或采用安全防护措施加强防护能力,防范网络攻击。
影响范围
OpenSSH < 4.4p1
8.5p1 <= OpenSSH < 9.8p1
漏洞修复建议
(1)官方修复建议
目前官网已发布最新安全版本修复此漏洞,建议受影响用户升级至以下安全版本。
● OpenSSH > 9.8p1
官网地址:https://www.openssh.com/releasenotes.html
(2)漏洞缓解措施
在无法通过补丁修复的情况下,可使用以下方式进行缓解。
检查并启用加固措施:确保已经开启了内存地址空间布局随机化(ASLR)。
设置用户访问策略,只给受信任的用户授权SSH登录权限。
对系统或主机启用双因素身份验证(2FA)。
Rocky Linux 9 漏洞修方法
Rocky Linux 9 官方已经更新了相关补丁包,只要执行 dnf update 更新 openssh 包即可。
1.查看当前OpenSSH版本
[root@testserver ~]# rpm -qa | grep sshd*
openssh-8.7p1-38.el9.x86_64
openssh-clients-8.7p1-38.el9.x86_64
openssh-server-8.7p1-38.el9.x86_642.执行安装更新
[root@testserver ~]# dnf upgrade sshd
Last metadata expiration check: 0:00:45 ago on Tue 16 Jul 2024 03:47:34 PM CST.
No match for argument: sshd
Error: No packages marked for upgrade.
[root@192-170-1-33-jenkins ~]# dnf upgrade openssh
Last metadata expiration check: 0:01:27 ago on Tue 16 Jul 2024 03:47:34 PM CST.
Dependencies resolved.
=============================================================================================================================================================================
Package Architecture Version Repository Size
=============================================================================================================================================================================
Upgrading:
openssh x86_64 8.7p1-38.el9_4.4 baseos 457 k
openssh-clients x86_64 8.7p1-38.el9_4.4 baseos 713 k
openssh-server x86_64 8.7p1-38.el9_4.4 baseos 458 k
Transaction Summary
=============================================================================================================================================================================
Upgrade 3 Packages
Total download size: 1.6 M
Is this ok [y/N]: y
Downloading Packages:
[MIRROR] openssh-8.7p1-38.el9_4.4.x86_64.rpm: Curl error (6): Couldn't resolve host name for https://mirrors.tuna.tsinghua..edu.cn/rocky/9.4/BaseOS/x86_64/os/Packages/o/openssh-8.7p1-38.el9_4.4.x86_64.rpm [Could not resolve host: mirrors.tuna.tsinghua..edu.cn]
[MIRROR] openssh-server-8.7p1-38.el9_4.4.x86_64.rpm: Curl error (6): Couldn't resolve host name for https://mirrors.tuna.tsinghua..edu.cn/rocky/9.4/BaseOS/x86_64/os/Packages/o/openssh-server-8.7p1-38.el9_4.4.x86_64.rpm [Could not resolve host: mirrors.tuna.tsinghua..edu.cn]
[MIRROR] openssh-clients-8.7p1-38.el9_4.4.x86_64.rpm: Curl error (6): Couldn't resolve host name for https://mirrors.tuna.tsinghua..edu.cn/rocky/9.4/BaseOS/x86_64/os/Packages/o/openssh-clients-8.7p1-38.el9_4.4.x86_64.rpm [Could not resolve host: mirrors.tuna.tsinghua..edu.cn]
(1/3): openssh-8.7p1-38.el9_4.4.x86_64.rpm 615 kB/s | 457 kB 00:00
(2/3): openssh-clients-8.7p1-38.el9_4.4.x86_64.rpm 637 kB/s | 713 kB 00:01
(3/3): openssh-server-8.7p1-38.el9_4.4.x86_64.rpm 313 kB/s | 458 kB 00:01
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 621 kB/s | 1.6 MB 00:02
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: openssh-8.7p1-38.el9_4.4.x86_64 1/6
Upgrading : openssh-8.7p1-38.el9_4.4.x86_64 1/6
Running scriptlet: openssh-server-8.7p1-38.el9_4.4.x86_64 2/6
Upgrading : openssh-server-8.7p1-38.el9_4.4.x86_64 2/6
Running scriptlet: openssh-server-8.7p1-38.el9_4.4.x86_64 2/6
Upgrading : openssh-clients-8.7p1-38.el9_4.4.x86_64 3/6
Running scriptlet: openssh-clients-8.7p1-38.el9_4.4.x86_64 3/6
Running scriptlet: openssh-clients-8.7p1-38.el9.x86_64 4/6
Cleanup : openssh-clients-8.7p1-38.el9.x86_64 4/6
Running scriptlet: openssh-server-8.7p1-38.el9.x86_64 5/6
Cleanup : openssh-server-8.7p1-38.el9.x86_64 5/6
Running scriptlet: openssh-server-8.7p1-38.el9.x86_64 5/6
Cleanup : openssh-8.7p1-38.el9.x86_64 6/6
Running scriptlet: openssh-8.7p1-38.el9.x86_64 6/6
Verifying : openssh-server-8.7p1-38.el9_4.4.x86_64 1/6
Verifying : openssh-server-8.7p1-38.el9.x86_64 2/6
Verifying : openssh-clients-8.7p1-38.el9_4.4.x86_64 3/6
Verifying : openssh-clients-8.7p1-38.el9.x86_64 4/6
Verifying : openssh-8.7p1-38.el9_4.4.x86_64 5/6
Verifying : openssh-8.7p1-38.el9.x86_64 6/6
Upgraded:
openssh-8.7p1-38.el9_4.4.x86_64 openssh-clients-8.7p1-38.el9_4.4.x86_64 openssh-server-8.7p1-38.el9_4.4.x86_64
Complete!3.查看更新后openssh版本
[root@testserver ~]# rpm -qa | grep openssh
openssh-8.7p1-38.el9_4.4.x86_64
openssh-server-8.7p1-38.el9_4.4.x86_64
openssh-clients-8.7p1-38.el9_4.4.x86_64
评论