【Ubuntu】Ubuntu 22.04 升级 OpenSSH 9.3p2 修复CVE |
您所在的位置:网站首页 › 升级sshd › 【Ubuntu】Ubuntu 22.04 升级 OpenSSH 9.3p2 修复CVE |
【Ubuntu】Ubuntu 22.04 升级 OpenSSH 9.3p2 修复CVE
|
近日Openssh暴露出一个安全漏洞CVE-2023-38408,以下是相关资讯: 一、漏洞详情 OpenSSH是一个用于安全远程登录和文件传输的开源软件套件。它提供了一系列的客户端和服务器程序,包括 ssh、scp、sftp等,用于在网络上进行安全的远程登录和文件传输。 近日,监测到OpenSSH ssh-agent中存在一个远程代码执行漏洞(CVE-2023-38408)。由于对CVE-2016-10009的修复不完整,9.3p2之前的OpenSSH中的PKCS#11功能存在不受信任的搜索路径,如果受害者系统上存在通过ssh-agent(1)的PKCS#11支持加载的特定库,且agent被转发到威胁者控制的系统(启用ssh-agent转发),则可能会导致远程代码执行。 建议受影响用户做好资产自查以及预防工作,以免遭受黑客攻击。 二、影响范围 5.5 < OpenSSH =9.3p2 下载链接:https://www.openssh.com/相关资讯: OpenSSH ssh-agent 远程代码执行漏洞(CVE-2023-38408)安全风险通告OpenSSH SecurityOpenSSH 9.3p2 Release Note因此升级OpenSSH迫在眉睫 升级过程 下载相关的包 #openssh wget --no-check-certificate https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz #zlib wget --no-check-certificate http://www.zlib.net/zlib-1.2.13.tar.gz #openssl (下载比较慢,需要等很久,有条件的加把梯子) wget --no-check-certificate https://www.openssl.org/source/openssl-3.1.2.tar.gz 安装依赖 apt install -y g++ perl make libpam0g-dev build-essential 安装telnet在升级 SSH 过程中,确保 Telnet 能够连接服务器是为了提供备份的远程访问方式。需要注意的是,由于 Telnet 的不安全性,应尽量减少使用 Telnet,并在 SSH 升级完成后恢复正常的 SSH 远程访问,并关闭Telnet。 apt install openbsd-inetd telnetd telnet -y systemctl restart openbsd-inetd systemctl status openbsd-inetd netstat -anpt|grep 23测试是否可以通过Telnet成功登陆 卸载原openssh apt-get autoremove openssh-server openssh-client -y 安装zlib tar zxvf zlib-1.2.13.tar.gz cd zlib-1.2.13/ ./configure --shared make && make install 安装openssl #解压 tar zxvf openssl-3.1.2.tar.gz cd openssl-3.1.2 #编译安装 ./config --prefix=/usr/local/openssl shared zlib sudo make depend sudo make sudo make install #备份原来的openssl,创建软链接到系统位置 sudo mv /usr/bin/openssl /usr/bin/openssl.bak sudo ln -sv /usr/local/openssl/bin/openssl /usr/bin/openssl #更新动态链接库数据 echo "/usr/local/openssl/lib" >>sudo /etc/ld.so.conf sudo ldconfig -v openssl version期间出现的错误及解决办法: root@Virtual-Machine:/openssh-upgrade/openssl-3.1.2# openssl version openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.0.9' not found (required by openssl) root@Virtual-Machine:/openssh-upgrade/openssl-3.1.2# cp libcrypto.so.3 /lib/x86_64-linux-gnu/libcrypto.so.3 root@Virtual-Machine:/openssh-upgrade/openssl-3.1.2# openssl version OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023) 安装openssh tar zxvf openssh-9.3p2.tar.gz cd openssh-9.3p2 ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-ssl-dir=/usr/include/openssl --with-privsep-path=/var/lib/ssh make && make install ssh -V root@Virtual-Machine:/openssh-upgrade/openssh-9.3p2# ssh -V OpenSSH_9.3p2, OpenSSL 3.1.2 1 Aug 2023 取消屏蔽 SSH 服务并启动 systemctl unmask ssh.service systemctl start sshd systemctl status sshd root@Virtual-Machine:/home# systemctl unmask ssh.service Removed /etc/systemd/system/ssh.service. root@Virtual-Machine:/home# systemctl start sshd root@Virtual-Machine:/home# systemctl status sshd ● ssh.service - LSB: OpenBSD Secure Shell server Loaded: loaded (/etc/init.d/ssh; generated) Active: active (running) since Fri 2023-08-04 14:26:30 CST; 2s ago Docs: man:systemd-sysv-generator(8) Process: 25657 ExecStart=/etc/init.d/ssh start (code=exited, status=0/SUCCESS) Tasks: 1 (limit: 9421) Memory: 1.4M CPU: 30ms CGroup: /system.slice/ssh.service └─25667 "sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups" 8月 04 14:26:30 Virtual-Machine systemd[1]: Starting LSB: OpenBSD Secure Shell server... 8月 04 14:26:30 Virtual-Machine ssh[25657]: * Starting OpenBSD Secure Shell server sshd 8月 04 14:26:30 Virtual-Machine ssh[25657]: ...done. 8月 04 14:26:30 Virtual-Machine sshd[25667]: Server listening on 0.0.0.0 port 22. 8月 04 14:26:30 Virtual-Machine sshd[25667]: Server listening on :: port 22. 8月 04 14:26:30 Virtual-Machine systemd[1]: Started LSB: OpenBSD Secure Shell server. 关闭Telnet systemctl status openbsd-inetd systemctl disable openbsd-inetd systemctl stop openbsd-inetd systemctl status openbsd-inetd root@Virtual-Machine:/home# systemctl status openbsd-inetd ● inetd.service - Internet superserver Loaded: loaded (/lib/systemd/system/inetd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2023-08-04 13:53:23 CST; 47min ago Docs: man:inetd(8) Main PID: 609 (inetd) Tasks: 2 (limit: 9421) Memory: 3.3M CPU: 385ms CGroup: /system.slice/inetd.service ├─ 609 /usr/sbin/inetd └─12087 "in.telnetd: 00X3V7R4W32Y3FF.lisuantech.com" 8月 04 13:53:22 Virtual-Machine systemd[1]: Starting Internet superserver... 8月 04 13:53:23 Virtual-Machine systemd[1]: Started Internet superserver. 8月 04 14:00:51 Virtual-Machine in.telnetd[12087]: connect from 10.2.12.131 (10.2.12.131) 8月 04 14:00:56 Virtual-Machine login[12088]: pam_unix(login:session): session opened for user knight(uid=1000) by (uid=0) root@Virtual-Machine:/home# systemctl disable openbsd-inetd Synchronizing state of openbsd-inetd.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install disable openbsd-inetd Removed /etc/systemd/system/multi-user.target.wants/inetd.service. root@Virtual-Machine:/home# systemctl stop openbsd-inetd root@Virtual-Machine:/home# systemctl status openbsd-inetd ○ inetd.service - Internet superserver Loaded: loaded (/lib/systemd/system/inetd.service; disabled; vendor preset: enabled) Active: inactive (dead) since Fri 2023-08-04 14:40:49 CST; 3s ago Docs: man:inetd(8) Process: 609 ExecStart=/usr/sbin/inetd (code=exited, status=0/SUCCESS) Main PID: 609 (code=exited, status=0/SUCCESS) Tasks: 1 (limit: 9421) Memory: 2.7M CPU: 387ms CGroup: /system.slice/inetd.service └─12087 "in.telnetd: 00X3V7R4W32Y3FF.lisuantech.com" 8月 04 13:53:22 Virtual-Machine systemd[1]: Starting Internet superserver... 8月 04 13:53:23 Virtual-Machine systemd[1]: Started Internet superserver. 8月 04 14:00:51 Virtual-Machine in.telnetd[12087]: connect from 10.2.12.131 (10.2.12.131) 8月 04 14:00:56 Virtual-Machine login[12088]: pam_unix(login:session): session opened for user knight(uid=1000) by (uid=0) 8月 04 14:40:49 Virtual-Machine systemd[1]: Stopping Internet superserver... 8月 04 14:40:49 Virtual-Machine systemd[1]: inetd.service: Deactivated successfully. 8月 04 14:40:49 Virtual-Machine systemd[1]: inetd.service: Unit process 12087 (in.telnetd) remains running after unit stopped. 8月 04 14:40:49 Virtual-Machine systemd[1]: Stopped Internet superserver. |
【本文地址】