centos upgrade openssh7.4, OpenSSH Remote Code Execution Vulnerability

Others 2019-06-17 18:37:56 views: null
Disclaimer: This article is a blogger original article, shall not be reproduced without the bloggers allowed. https://blog.csdn.net/kwame211/article/details/90403693

Vulnerability ID

CVE-2016-10009

 

Vulnerability name

OpenSSH Remote Code Execution Vulnerability

 

Vulnerability Description

sshd service can take advantage of agent-socket file forwarded to deceive the machine ssh-agent to load a malicious PKCS # 11 module, allowing remote code execution.

 

Official Rating

Intermediate-

 

Hazard Vulnerability

Hackers exploit remote command execution may cause data loss in severe cases.

 

Exploit conditions

It may be remotely exploitable.

 

The exploit relies ssh-agent. The process does not start by default, will be used only when the login password, exploit conditions are relatively harsh free across multiple hosts.

The vulnerability affects range

 

OpenSSH 7.3

OpenSSH 7.2p2

OpenSSH 7.2

OpenSSH 7.1p2

OpenSSH 7.1p1

OpenSSH 7.1

OpenSSH 7.0

OpenSSH 6.9p1

OpenSSH 6.9

OpenSSH 6.6

OpenSSH 6.5

OpenSSH 6.4

OpenSSH 6.3

OpenSSH 6.2

OpenSSH 6.1

OpenSSH 6.0

OpenSSH 5.8

OpenSSH 5.7

OpenSSH 5.6

OpenSSH 5.5

OpenSSH 5.4

OpenSSH 5.3

OpenSSH 5.2

OpenSSH 5.1

OpenSSH 5.0

Vulnerability detection

 

Use the following command to view the current version.

ssh -V

Use Ann Knight inspection.

 

Bug fixes recommend (or mitigation)

ECS Ali cloud operating system provided by default OpenSSH, are not affected by this vulnerability. If you changed your version of OpenSSH, and confirm that the current version of OpenSSH in the affected area, Ali cloud recommend that you upgrade to OpenSSH version 7.4 and above SSH server. Upgrade method below.

 

At the same time, it is recommended that you do not directly serve high-risk SSH service port open directly to the Internet. We recommend using safer way ××× and fortress were ROMS, etc., to prevent brute force and exploit invasion.

 

Upgrade OpenSSH

We recommend that you upgrade using the yum update, if the update source without the latest installation package, you can upgrade the following upgrade method. CentOS 6.8 64bit below as an example.

 

note:

Before the upgrade, we strongly recommend that you do the snapshot and file backup, upgrade failure can not prevent remote management and other accidents.

 

When installed in the following operations, be sure to open a window SSH connection need to upgrade the server, SSH avoid after a failed upgrade, you can not connect to the server. Or, before the upgrade is best to install the Telnet service as an alternative, until the upgrade is successful then stop Telnet.

Execute the following code upgrade zlib.

 

wget wget http://zlib.net/zlib-1.2.11.tar.gz
tar zxvf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure
make
make install

Use the following command to view libz upgraded version.

ll /usr/local/lib

The results are shown below.

 

zlib

Upgrade openssl-flips. To see if the latest version before installing. If yes, go to Step 4; if not, execute the following code to download the latest version and upgrade.

 

wget https://www.openssl.org/source/openssl-fips-2.0.14.tar.gz
tar zxvf openssl-fips-2.0.14.tar.gz
cd openssl-fips-2.0.14
./config
make
make install

Execute the following code upgrade openssl.

 

wget https://www.openssl.org/source/openssl-1.1.0e.tar.gz
tar zxvf openssl-1.1.0e.tar.gz
cd openssl-1.1.0e
./config
make
make install
ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

View OpenSSL upgraded version, the following results:

 

openssl

Perform the following code installed PAM.

yum install pam*  -y

Upgrade install OpenSSH.

 

wget https://mirrors.evowise.com/pub/OpenBSD/OpenSSH/portable/openssh-7.4p1.tar.gz
tar zxvf openssh-7.4p1.tar.gz
cd openssh-7.4p1
./configure   --prefix=/usr   --sysconfdir=/etc/ssh   --with-md5-passwords   --with-pam    --with-privsep-path=/var/lib/sshd  --with-ssl-dir=/usr/local/lib64   --without-hardening
make
make install

# Sshd backup file, rename sshd_20170209_old

mv /etc/init.d/sshd  /etc/init.d/sshd_20170209_old

# Copy the configuration file, empowerment, added to the boot entry

cd /root/openssh-7.4p1/contrib/redhat
cp sshd.init  /etc/init.d/sshd
cp ssh_config /etc/ssh/ssh_config

# Overwrite the prompts, enter y (if the original file is renamed, no cover)

cp -p sshd_config /etc/ssh/sshd_config

# Overwrite the prompts, enter y (if the original file is renamed, no cover)

chmod u+x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on

# Restart sshd service

service sshd restart

Review the upgrade version, the latest version is displayed.

ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2i  22 Sep 2016

Guess you like

Origin blog.csdn.net/kwame211/article/details/90403693
Recommended
Ranking
Solve the problem that the Chinese display of the drawing using python matplotlib under the Linux system is displayed as a box
[Conference Call for Papers] The 5th International Conference on Civil Engineering, Environmental Resources and Energy Materials (CCESEM 2023)
4-yl Fast Fourier Transform
DataGirdView interlaced display color
[Docker implements test deployment CI/CD----Dingding alarm after the build is successful (7)]
[Asp.net core series] 6 the complete structure of a project in actual combat
The new version of OpenCenterV3 management background
Why can box plots detect outliers and what is the principle?
[Switch] jumbo frame Introduction
C++对象移动(3)——移动构造函数
Daily
More
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)

Code World

© 2018 codetd.com