Vulnerability ID
CVE-2016-10009
Vulnerability name
OpenSSH Remote Code Execution Vulnerability
Vulnerability Description
sshd service can take advantage of agent-socket file forwarded to deceive the machine ssh-agent to load a malicious PKCS # 11 module, allowing remote code execution.
Official Rating
Intermediate-
Hazard Vulnerability
Hackers exploit remote command execution may cause data loss in severe cases.
Exploit conditions
It may be remotely exploitable.
The exploit relies ssh-agent. The process does not start by default, will be used only when the login password, exploit conditions are relatively harsh free across multiple hosts.
The vulnerability affects range
OpenSSH 7.3
OpenSSH 7.2p2
OpenSSH 7.2
OpenSSH 7.1p2
OpenSSH 7.1p1
OpenSSH 7.1
OpenSSH 7.0
OpenSSH 6.9p1
OpenSSH 6.9
OpenSSH 6.6
OpenSSH 6.5
OpenSSH 6.4
OpenSSH 6.3
OpenSSH 6.2
OpenSSH 6.1
OpenSSH 6.0
OpenSSH 5.8
OpenSSH 5.7
OpenSSH 5.6
OpenSSH 5.5
OpenSSH 5.4
OpenSSH 5.3
OpenSSH 5.2
OpenSSH 5.1
OpenSSH 5.0
Vulnerability detection
Use the following command to view the current version.
ssh -V
Use Ann Knight inspection.
Bug fixes recommend (or mitigation)
ECS Ali cloud operating system provided by default OpenSSH, are not affected by this vulnerability. If you changed your version of OpenSSH, and confirm that the current version of OpenSSH in the affected area, Ali cloud recommend that you upgrade to OpenSSH version 7.4 and above SSH server. Upgrade method below.
At the same time, it is recommended that you do not directly serve high-risk SSH service port open directly to the Internet. We recommend using safer way ××× and fortress were ROMS, etc., to prevent brute force and exploit invasion.
Upgrade OpenSSH
We recommend that you upgrade using the yum update, if the update source without the latest installation package, you can upgrade the following upgrade method. CentOS 6.8 64bit below as an example.
note:
Before the upgrade, we strongly recommend that you do the snapshot and file backup, upgrade failure can not prevent remote management and other accidents.
When installed in the following operations, be sure to open a window SSH connection need to upgrade the server, SSH avoid after a failed upgrade, you can not connect to the server. Or, before the upgrade is best to install the Telnet service as an alternative, until the upgrade is successful then stop Telnet.
Execute the following code upgrade zlib.
wget wget http://zlib.net/zlib-1.2.11.tar.gz
tar zxvf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure
make
make install
Use the following command to view libz upgraded version.
ll /usr/local/lib
The results are shown below.
zlib
Upgrade openssl-flips. To see if the latest version before installing. If yes, go to Step 4; if not, execute the following code to download the latest version and upgrade.
wget https://www.openssl.org/source/openssl-fips-2.0.14.tar.gz
tar zxvf openssl-fips-2.0.14.tar.gz
cd openssl-fips-2.0.14
./config
make
make install
Execute the following code upgrade openssl.
wget https://www.openssl.org/source/openssl-1.1.0e.tar.gz
tar zxvf openssl-1.1.0e.tar.gz
cd openssl-1.1.0e
./config
make
make install
ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
View OpenSSL upgraded version, the following results:
openssl
Perform the following code installed PAM.
yum install pam* -y
Upgrade install OpenSSH.
wget https://mirrors.evowise.com/pub/OpenBSD/OpenSSH/portable/openssh-7.4p1.tar.gz
tar zxvf openssh-7.4p1.tar.gz
cd openssh-7.4p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-privsep-path=/var/lib/sshd --with-ssl-dir=/usr/local/lib64 --without-hardening
make
make install
# Sshd backup file, rename sshd_20170209_old
mv /etc/init.d/sshd /etc/init.d/sshd_20170209_old
# Copy the configuration file, empowerment, added to the boot entry
cd /root/openssh-7.4p1/contrib/redhat
cp sshd.init /etc/init.d/sshd
cp ssh_config /etc/ssh/ssh_config
# Overwrite the prompts, enter y (if the original file is renamed, no cover)
cp -p sshd_config /etc/ssh/sshd_config
# Overwrite the prompts, enter y (if the original file is renamed, no cover)
chmod u+x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
# Restart sshd service
service sshd restart
Review the upgrade version, the latest version is displayed.
ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2i 22 Sep 2016