前言
OpenSSL拒绝服务漏洞(CVE-2022-0778)
漏洞影响范围:
- OpenSSL1.0.2
- OpenSSL1.1.1
- OpenSSL3.0
OpenSSL拒绝服务漏洞(CVE-2022-0778):该漏洞是由于OpenSSL中的BN_mod_sqrt()函数存在解析错误,由于证书解析发生在证书签名验证之前,因此任何解析外部提供的证书场景都可能受到拒绝服务攻击,攻击者可在未授权的情况下通过构造特定证书来触发无限循环,执行拒绝服务攻击,最终使服务器无法提供服务。
OpenSSH安全漏洞(CVE-2021-41617)
漏洞影响范围:
- OpenSSH版本6.2-8.7
OpenSSH(OpenBSD Secure Shell)是Openbsd计划组的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现,支持对所有的传输进行加密,可有效阻止窃听、连接劫持以及其他网络级的攻击。OpenSSH 6.2到8.8之前版本存在安全漏洞。该漏洞源于允许权限提升,因为补充组未按预期初始
准备工作
- 确认openssl和openssh版本
[root@icorgi ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[root@icorgi ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
漏洞修复
- OpenSSL
[root@localhost ~]# tar -xzvf openssl-1.1.1n.tar.gz
[root@localhost ~]# cd openssl-1.1.1n/
[root@localhost openssl-1.1.1n]# ./config --prefix=/usr/local/openssl-1.1.1n --shared
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1n (0x101010efL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile
**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL file first) ***
*** ***
**********************************************************************
[root@localhost openssl-1.1.1n]# make && make install
[root@localhost openssl-1.1.1n]# mv /usr/bin/openssl /usr/bin/openssl.bak
[root@localhost openssl-1.1.1n]# mv /usr/include/openssl /usr/include/openssl.bak
[root@localhost openssl-1.1.1n]# ln -s /usr/local/openssl-1.1.1n/bin/openssl /usr/bin/openssl
[root@localhost openssl-1.1.1n]# ln -s /usr/local/openssl-1.1.1n/include/openssl /usr/include/openssl
[root@localhost openssl-1.1.1n]# echo "/usr/local/openssl-1.1.1n/lib">>/etc/ld.so.conf
[root@localhost openssl-1.1.1n]# ldconfig
- OpenSSH
[root@localhost ~]# yum install pam-devel libselinux-devel zlib-devel openssl-devel
[root@localhost ~]# tar -zxvf openssh-8.9p1.tar.gz
[root@localhost ~]# cd openssh-8.9p1
[root@localhost openssh-8.9p1]# mv /etc/ssh /etc/ssh.bak
[root@localhost openssh-8.9p1]# ./configure --with-md5-passwords --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl-1.1.1n/lib
[root@localhost openssh-8.9p1]# make && make install
[root@localhost openssh-8.9p1]# mv /etc/ssh.bak/sshd_config /etc/ssh/sshd_config
[root@localhost openssh-8.9p1]# systemctl daemon-reload
[root@localhost openssh-8.9p1]# systemctl restart sshd
查看OpenSSL和OpenSSH版本
[root@localhost ~]# openssl version
OpenSSL 1.1.1n 15 Mar 2022
[root@localhost ~]# ssh -V
OpenSSH_8.9p1, OpenSSL 1.1.1n 15 Mar 2022
完成修复
踩到的坑
- 在升级完OpenSSH后按理应该
vi /etc/ssh/sshd_config
添加PermitRootLogin yes
和PasswordAuthentication yes
,添加后systemct restart sshd
就能进行root远程登录,结果新会话死活连不上root不知道啥毛病,偷个懒就直接把旧的sshd_config文件拿来覆盖了,成功登录。 - 在编译的时候遇到如下报错:
checking OpenSSL header version... 101010ef (OpenSSL 1.1.1n 15 Mar 2022)
checking for OpenSSL_version... no
checking for OpenSSL_version_num... no
checking OpenSSL library version... not found
configure: error: OpenSSL library not found.
结果安装完一看发现OpenSSL还是旧版本,并且在config的时候也添加了--shared参数
[root@localhost openssh-8.9p1]# ssh -V
OpenSSH_8.9p1, OpenSSL 1.0.2k-fips 26 Jan 2017
百度搜了一圈都没碰到解决办法,最后还是在Google上搜到解决办法,参考github issues,config时添加--with-ssl-dir=/usr/local/openssl-1.1.1n/lib