Rocky Linux 9 & RedHat 系 OpenSSH CVE-2024-6387 漏洞快速修复

漏洞说明

CVE-2024-6387:regreSSHion:OpenSSH 服务器中的远程代码执行(RCE),至少在基于 glibc 的 Linux 系统上可被利用。

根据 oss-security - CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems 的发现并由 oss-security - Announce: OpenSSH 9.8 released 上游总结,在 Portable OpenSSH 版本 8.5p19.7p1(含)中,sshd(8) 存在一个严重漏洞,可能允许以 root 权限执行任意代码。

在 32 位的 Linux/glibc 系统上,成功利用该漏洞已被证明,且需要启用地址空间布局随机化(ASLR)。在实验室条件下,攻击平均需要 6-8 小时的持续连接,直到服务器达到最大连接数为止。目前尚未证明在 64 位系统上可以利用该漏洞,但认为这可能是可行的。这些攻击很有可能会得到进一步改进。

公开披露日期: 2024年7月1日
影响范围: Rocky Linux 9
修复版本:8.7p1-38.el9_4.security.0.5 2024 年 7 月 1 日可用。
不受影响: Rocky Linux 8

最新修复方案

RedHat 上游已经修复 CVE-2024-6387 漏洞,详见参阅:RHSA-2024:4312 - Security Advisory - Red Hat Customer Portal,Rocky Linux 9 已经第一时间更新,执行 dnf update 更新 OpenSSH 包即可。

[root@localhost ~]# dnf upgrade openssh
上次元数据过期检查:1:42:00 前,执行于 2024年07月04日 星期四 14时54分55秒。
依赖关系解决。
================================================================================================================================================================================================================================================================
 软件包                                                            架构                                                     版本                                                                 仓库                                                      大小
================================================================================================================================================================================================================================================================
升级:
 openssh                                                           x86_64                                                   8.7p1-38.el9_4.1                                                     baseos                                                   458 k
 openssh-clients                                                   x86_64                                                   8.7p1-38.el9_4.1                                                     baseos                                                   713 k
 openssh-server                                                    x86_64                                                   8.7p1-38.el9_4.1                                                     baseos                                                   459 k

事务概要
================================================================================================================================================================================================================================================================
升级  3 软件包

总下载:1.6 M
确定吗?[y/N]: y
下载软件包:
(1/3): openssh-server-8.7p1-38.el9_4.1.x86_64.rpm                                                                                                                                                                               1.8 MB/s | 459 kB     00:00    
(2/3): openssh-clients-8.7p1-38.el9_4.1.x86_64.rpm                                                                                                                                                                              2.7 MB/s | 713 kB     00:00    
(3/3): openssh-8.7p1-38.el9_4.1.x86_64.rpm                                                                                                                                                                                      1.7 MB/s | 458 kB     00:00    
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
总计                                                                                                                                                                                                                            1.9 MB/s | 1.6 MB     00:00     
运行事务检查
事务检查成功。
运行事务测试
事务测试成功。
运行事务
  准备中  :                                                                                                                                                                                                                                                 1/1 
  运行脚本: openssh-8.7p1-38.el9_4.1.x86_64                                                                                                                                                                                                                 1/6 
  升级    : openssh-8.7p1-38.el9_4.1.x86_64                                                                                                                                                                                                                 1/6 
  运行脚本: openssh-server-8.7p1-38.el9_4.1.x86_64                                                                                                                                                                                                          2/6 
  升级    : openssh-server-8.7p1-38.el9_4.1.x86_64                                                                                                                                                                                                          2/6 
  运行脚本: openssh-server-8.7p1-38.el9_4.1.x86_64                                                                                                                                                                                                          2/6 
  升级    : openssh-clients-8.7p1-38.el9_4.1.x86_64                                                                                                                                                                                                         3/6 
  运行脚本: openssh-clients-8.7p1-38.el9_4.1.x86_64                                                                                                                                                                                                         3/6 
  运行脚本: openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                              4/6 
  清理    : openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                              4/6 
  运行脚本: openssh-server-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                               5/6 
  清理    : openssh-server-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                               5/6 
  运行脚本: openssh-server-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                               5/6 
  清理    : openssh-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                                      6/6 
  运行脚本: openssh-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                                      6/6 
  验证    : openssh-server-8.7p1-38.el9_4.1.x86_64                                                                                                                                                                                                          1/6 
  验证    : openssh-server-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                               2/6 
  验证    : openssh-clients-8.7p1-38.el9_4.1.x86_64                                                                                                                                                                                                         3/6 
  验证    : openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                              4/6 
  验证    : openssh-8.7p1-38.el9_4.1.x86_64                                                                                                                                                                                                                 5/6 
  验证    : openssh-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                                      6/6 

已升级:
  openssh-8.7p1-38.el9_4.1.x86_64                                                 openssh-clients-8.7p1-38.el9_4.1.x86_64                                                 openssh-server-8.7p1-38.el9_4.1.x86_64                                                

完毕!

# 确保安装最新版本,安装过程会自动重启 sshd 服务。
[root@localhost ~]# rpm -qa | grep openssh
openssh-8.7p1-38.el9_4.1.x86_64
openssh-clients-8.7p1-38.el9_4.1.x86_64
openssh-server-8.7p1-38.el9_4.1.x86_64

修复方案 【作废】

安装 8.7p1-38.el9_4.security.0.5 即可。

# 查看当前版本
[root@localhost ~]# rpm -qa | grep openssh
openssh-8.7p1-38.el9.x86_64
openssh-clients-8.7p1-38.el9.x86_64
openssh-server-8.7p1-38.el9.x86_64

# 安装更新源
[root@localhost ~]# dnf install -y rocky-release-security
Last metadata expiration check: 1:16:01 ago on Wed 03 Jul 2024 09:08:38 AM CST.
Dependencies resolved.
================================================================================================================================================================================================================================================================
 Package                                                                   Architecture                                              Version                                                    Repository                                                 Size
================================================================================================================================================================================================================================================================
Installing:
 rocky-release-security                                                    noarch                                                    9-4.el9                                                    extras                                                    9.5 k

Transaction Summary
================================================================================================================================================================================================================================================================
Install  1 Package

Total download size: 9.5 k
Installed size: 3.2 k
Downloading Packages:
rocky-release-security-9-4.el9.noarch.rpm                                                                                                                                                                                        38 kB/s | 9.5 kB     00:00    
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                                            38 kB/s | 9.5 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                                                        1/1 
  Installing       : rocky-release-security-9-4.el9.noarch                                                                                                                                                                                                  1/1 
  Running scriptlet: rocky-release-security-9-4.el9.noarch                                                                                                                                                                                                  1/1 
  Verifying        : rocky-release-security-9-4.el9.noarch                                                                                                                                                                                                  1/1 

Installed:
  rocky-release-security-9-4.el9.noarch                                                                                                                                                                                                                         

Complete!

# 禁用 SIG/Security security-common repo
[root@localhost ~]# dnf config-manager --disable security-common

# 升级 openssh
[root@localhost ~]# dnf --enablerepo=security-common -y update openssh\*
Rocky Linux 9 - SIG Security Common                                                                                                                                                                                              35 kB/s | 117 kB     00:03    
Last metadata expiration check: 0:00:01 ago on Wed 03 Jul 2024 10:25:04 AM CST.
Dependencies resolved.
================================================================================================================================================================================================================================================================
 Package                                                      Architecture                                        Version                                                                    Repository                                                    Size
================================================================================================================================================================================================================================================================
Upgrading:
 openssh                                                      x86_64                                              8.7p1-38.el9_4.security.0.5                                                security-common                                              453 k
 openssh-clients                                              x86_64                                              8.7p1-38.el9_4.security.0.5                                                security-common                                              693 k
 openssh-server                                               x86_64                                              8.7p1-38.el9_4.security.0.5                                                security-common                                              435 k

Transaction Summary
================================================================================================================================================================================================================================================================
Upgrade  3 Packages

Total download size: 1.5 M
Downloading Packages:
(1/3): openssh-server-8.7p1-38.el9_4.security.0.5.x86_64.rpm                                                                                                                                                                    122 kB/s | 435 kB     00:03    
(2/3): openssh-8.7p1-38.el9_4.security.0.5.x86_64.rpm                                                                                                                                                                           125 kB/s | 453 kB     00:03    
(3/3): openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64.rpm                                                                                                                                                                   171 kB/s | 693 kB     00:04    
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                                           331 kB/s | 1.5 MB     00:04     
Rocky Linux 9 - SIG Security Common                                                                                                                                                                                             1.6 MB/s | 1.7 kB     00:00    
Importing GPG key 0x0FE8D526:
 Userid     : "Rocky Linux 9 SIGs - Security <[email protected]>"
 Fingerprint: 23DC 35EB E743 BAB0 CED2 1D20 8D79 B737 0FE8 D526
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-SIG-Security
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                                                        1/1 
  Running scriptlet: openssh-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                             1/6 
  Upgrading        : openssh-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                             1/6 
  Running scriptlet: openssh-server-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                      2/6 
  Upgrading        : openssh-server-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                      2/6 
  Running scriptlet: openssh-server-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                      2/6 
  Upgrading        : openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                     3/6 
  Running scriptlet: openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                     3/6 
  Running scriptlet: openssh-clients-8.7p1-38.el9.x86_64                                                                                                                                                                                                    4/6 
  Cleanup          : openssh-clients-8.7p1-38.el9.x86_64                                                                                                                                                                                                    4/6 
  Running scriptlet: openssh-server-8.7p1-38.el9.x86_64                                                                                                                                                                                                     5/6 
  Cleanup          : openssh-server-8.7p1-38.el9.x86_64                                                                                                                                                                                                     5/6 
  Running scriptlet: openssh-server-8.7p1-38.el9.x86_64                                                                                                                                                                                                     5/6 
  Cleanup          : openssh-8.7p1-38.el9.x86_64                                                                                                                                                                                                            6/6 
  Running scriptlet: openssh-8.7p1-38.el9.x86_64                                                                                                                                                                                                            6/6 
  Verifying        : openssh-server-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                      1/6 
  Verifying        : openssh-server-8.7p1-38.el9.x86_64                                                                                                                                                                                                     2/6 
  Verifying        : openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                     3/6 
  Verifying        : openssh-clients-8.7p1-38.el9.x86_64                                                                                                                                                                                                    4/6 
  Verifying        : openssh-8.7p1-38.el9_4.security.0.5.x86_64                                                                                                                                                                                             5/6 
  Verifying        : openssh-8.7p1-38.el9.x86_64                                                                                                                                                                                                            6/6 

Upgraded:
  openssh-8.7p1-38.el9_4.security.0.5.x86_64                                      openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64                                      openssh-server-8.7p1-38.el9_4.security.0.5.x86_64                                     

Complete!

# 确保 openssh-8.7p1-38.el9_4.security.0.5 已安装
[root@localhost ~]# rpm -q openssh
openssh-8.7p1-38.el9_4.security.0.5.x86_64

[root@localhost ~]# rpm -qa | grep openssh
openssh-8.7p1-38.el9_4.security.0.5.x86_64
openssh-server-8.7p1-38.el9_4.security.0.5.x86_64
openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64

# 因为安装过程中会自动重启 sshd 服务,所以安装完后无需再手动重启服务
[root@localhost ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: enabled)
     Active: active (running) since Wed 2024-07-03 10:18:42 CST; 34s ago # 重启时间
       Docs: man:sshd(8)
             man:sshd_config(5)
   Main PID: 64456 (sshd)
      Tasks: 1 (limit: 48933)
     Memory: 1.1M
        CPU: 14ms
     CGroup: /system.slice/sshd.service
             └─64456 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

Jul 03 10:18:42 localhost systemd[1]: Starting OpenSSH server daemon...
Jul 03 10:18:42 localhost sshd[64456]: Server listening on 0.0.0.0 port 22.
Jul 03 10:18:42 localhost systemd[1]: Started OpenSSH server daemon.

特别补充

手动安装 rocky-release-security,支持所有其它 RedHat 系发行版对应 OpenSSH 漏洞修复。

# 手动安装
[root@localhost ~]# rpm -ivh https://download.rockylinux.org/pub/rocky/9/extras/x86_64/os/Packages/r/rocky-release-security-9-4.el9.noarch.rpm

# 禁用 SIG/Security security-common repo
[root@localhost ~]# dnf config-manager --disable security-common

# 升级 openssh
[root@localhost ~]# dnf --enablerepo=security-common -y update openssh\*

# 确保 openssh-8.7p1-38.el9_4.security.0.5 已安装
[root@localhost ~]# rpm -q openssh
openssh-8.7p1-38.el9_4.security.0.5.x86_64

[root@localhost ~]# rpm -qa | grep openssh
openssh-8.7p1-38.el9_4.security.0.5.x86_64
openssh-server-8.7p1-38.el9_4.security.0.5.x86_64
openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64

如果您正在使用到 AWS 云 Amazon Linux 操作系统,官方影响面说明参考链接:CVE-2024-6387

影响范围: Amazon Linux 2023
不受影响: Amazon Linux 1、Amazon Linux 2 - Core
修复方案: ALAS-2024-649

dnf update openssh --releasever 2023.5.20240701

参考文献

[1] CVE-2024-6387: openssh - SIG/Security Wiki

Avatar photo

关于 木子

Founder of the Rocky Linux Chinese community, MVP、VMware vExpert、TVP, advocate for cloud native technologies, with over ten years of experience in site reliability engineering (SRE) and the DevOps field. Passionate about Cloud Computing、Microservices、CI&CD、DevOps、Kubernetes, currently dedicated to promoting and implementing Rocky Linux in Chinese-speaking regions.
用一杯咖啡支持我们,每一篇 [文档] 都经过我们实操,并非从网上一味的copy,期间花费了大量的心思,希望能够帮忙到您。
暂无评论

发送评论 编辑评论


|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇