漏洞描述:
CVE-2023-38408 是 OpenSSH 组件中的一个远程代码执行(RCE)漏洞,影响 OpenSSH 代理(ssh-agent
)的安全性。该漏洞被发现于 2023 年 7 月,并被标记为 高危(CVSS 评分 7.3)。
解决方法:
升级到OpenSSH 9.3p2 及以上版本
openssh-server 源码包下载
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.9p2.tar.gz
openssl源码包下载
Downloads | OpenSSL Library
https://github.com/openssl/openssl/releases/download/openssl-3.4.1/openssl-3.4.1.tar.gz
zlib源码下载
https://www.zlib.net/
https://www.zlib.net/current/zlib.tar.gz
查看现有系统的版本
openssh-server
[root@localhost ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[root@localhost ~]#
zlib版本
[root@localhost ~]# rpm -q zlib
zlib-1.2.7-18.el7.x86_64
[root@localhost ~]#
openssl版本
[root@localhost ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[root@localhost ~]#
解压安装包
[root@localhost ~]# ls
anaconda-ks.cfg openssh-9.9p2.tar.gz openssl-3.4.1.tar.gz original-ks.cfg zlib.tar.gz
[root@localhost ~]# tar -zxf openssl-3.4.1.tar.gz
[root@localhost ~]# tar -zxf openssh-9.9p2.tar.gz
[root@localhost ~]# tar -zxf zlib.tar.gz
[root@localhost ~]# ls
anaconda-ks.cfg openssh-9.9p2 openssh-9.9p2.tar.gz openssl-3.4.1 openssl-3.4.1.tar.gz original-ks.cfg zlib-1.3.1 zlib.tar.gz
[root@localhost ~]#
安装telnet服务
更换阿里云源
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
安装telnet临时登录,升级openssh会断开链接,以防万一,升级错误导致无法远程登录
执行安装
yum -y install xinetd telnetserver
重启服务,关闭防火墙
systemctl restart telnet-server
systemctl restart telnet.socket
systemctl restart xinetd
systemctl stop firewalld
添加普通用户,默认root无法远程telnet登录
useradd admin
passwd admin
测试登录telnet
wx@wx:~$ telnet 172.16.152.129
Trying 172.16.152.129...
Connected to 172.16.152.129.
Escape character is '^]'.
Kernel 3.10.0-957.el7.x86_64 on an x86_64
localhost login: admin
Password:
Last login: Mon Mar 31 01:22:42 from wx
[admin@localhost ~]$
开始升级openssh
安装zlib
切换到zlib目录
[root@localhost zlib-1.3.1]# ./configure --prefix=/usr/local/zlib
[root@localhost zlib-1.3.1]# make && make test && make install
检查版本
[root@localhost zlib-1.3.1]# grep "#define ZLIB_VERSION" /usr/local/zlib/include/zlib.h
#define ZLIB_VERSION "1.3.1"
[root@localhost zlib-1.3.1]#
安装openssl
执行报错
[root@localhost openssl-3.4.1]# ./config --prefix=/usr/local/openssl shared zlib
Can't locate IPC/Cmd.pm in @INC (@INC contains: /root/openssl-3.4.1/util/perl /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 . /root/openssl-3.4.1/external/perl/Text-Template-1.56/lib) at /root/openssl-3.4.1/util/perl/OpenSSL/config.pm line 19.
BEGIN failed--compilation aborted at /root/openssl-3.4.1/util/perl/OpenSSL/config.pm line 19.
Compilation failed in require at /root/openssl-3.4.1/Configure line 23.
BEGIN failed--compilation aborted at /root/openssl-3.4.1/Configure line 23.
[root@localhost openssl-3.4.1]#
安装依赖
yum -y install perl-IPC-Cmd
重新编译
[root@localhost openssl-3.4.1]# ./config --prefix=/usr/local/openssl shared zlib
Configuring OpenSSL version 3.4.1 for target linux-x86_64
Using os-specific seed configuration
Created configdata.pm
Running configdata.pm
Created Makefile.in
Created Makefile
Created include/openssl/configuration.h
**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL.md file first) ***
*** ***
**********************************************************************
[root@localhost openssl-3.4.1]#
amake缺少,
[root@localhost openssl-3.4.1]# make && make install
/usr/bin/perl util/mkinstallvars.pl PREFIX=. BINDIR=apps APPLINKDIR=ms LIBDIR= INCLUDEDIR=include "INCLUDEDIR=./include" ENGINESDIR=engines MODULESDIR=providers "VERSION=3.4.1" "LDLIBS=-lz -ldl -pthread " > builddata.pm
DEBUG: all keys: APPLINKDIR, BINDIR, CMAKECONFIGDIR, ENGINESDIR, INCLUDEDIR, LDLIBS, LIBDIR, MODULESDIR, PKGCONFIGDIR, PREFIX, VERSION, libdir
No value given for CMAKECONFIGDIR
No value given for PKGCONFIGDIR
No value given for libdir
DEBUG: PREFIX = . => PREFIX = /root/openssl-3.4.1
DEBUG: libdir = . => libdir = /root/openssl-3.4.1
DEBUG: BINDIR = apps => BINDIR = /root/openssl-3.4.1/apps, BINDIR_REL_PREFIX = apps
DEBUG: LIBDIR = => LIBDIR = /root/openssl-3.4.1, LIBDIR_REL_PREFIX =
DEBUG: INCLUDEDIR = [ include, ./include ] => INCLUDEDIR = [ /root/openssl-3.4.1/include, /root/openssl-3.4.1/include ], INCLUDEDIR_REL_PREFIX = [ include, ./include ]
DEBUG: APPLINKDIR = ms => APPLINKDIR = /root/openssl-3.4.1/ms, APPLINKDIR_REL_PREFIX = ms
DEBUG: ENGINESDIR = engines => ENGINESDIR = /root/openssl-3.4.1/engines, ENGINESDIR_REL_LIBDIR = engines
DEBUG: MODULESDIR = providers => MODULESDIR = /root/openssl-3.4.1/providers, MODULESDIR_REL_LIBDIR = providers
DEBUG: PKGCONFIGDIR = . => PKGCONFIGDIR = /root/openssl-3.4.1, PKGCONFIGDIR_REL_LIBDIR = .
DEBUG: CMAKECONFIGDIR = . => CMAKECONFIGDIR = /root/openssl-3.4.1, CMAKECONFIGDIR_REL_LIBDIR = .
/usr/bin/perl "-I." "-Mconfigdata" "-Mbuilddata" "util/dofile.pl" "-oMakefile" exporters/cmake/OpenSSLConfig.cmake.in > OpenSSLConfig.cmake
Can't locate Data/Dumper.pm in @INC (@INC contains: Configurations . /root/openssl-3.4.1/util/../Configurations /root/openssl-3.4.1/util/perl /root/openssl-3.4.1/Configurations /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 /root/openssl-3.4.1/external/perl/Text-Template-1.56/lib /root/openssl-3.4.1/util/../external/perl/Text-Template-1.56/lib) at exporters/cmake/OpenSSLConfig.cmake.in line 5.
BEGIN failed--compilation aborted at exporters/cmake/OpenSSLConfig.cmake.in line 5.
make: *** [OpenSSLConfig.cmake] Error 1
[root@localhost openssl-3.4.1]#
执行yum install cmake -y,重新执行
[root@localhost openssl-3.4.1]# make && make install
.......
.......
.......
install doc/html/man7/provider-encoder.html -> /usr/local/openssl/share/doc/openssl/html/man7/provider-encoder.html
install doc/html/man7/provider-kdf.html -> /usr/local/openssl/share/doc/openssl/html/man7/provider-kdf.html
install doc/html/man7/provider-kem.html -> /usr/local/openssl/share/doc/openssl/html/man7/provider-kem.html
install doc/html/man7/provider-keyexch.html -> /usr/local/openssl/share/doc/openssl/html/man7/provider-keyexch.html
install doc/html/man7/provider-keymgmt.html -> /usr/local/openssl/share/doc/openssl/html/man7/provider-keymgmt.html
install doc/html/man7/provider-mac.html -> /usr/local/openssl/share/doc/openssl/html/man7/provider-mac.html
install doc/html/man7/provider-object.html -> /usr/local/openssl/share/doc/openssl/html/man7/provider-object.html
install doc/html/man7/provider-rand.html -> /usr/local/openssl/share/doc/openssl/html/man7/provider-rand.html
install doc/html/man7/provider-signature.html -> /usr/local/openssl/share/doc/openssl/html/man7/provider-signature.html
install doc/html/man7/provider-storemgmt.html -> /usr/local/openssl/share/doc/openssl/html/man7/provider-storemgmt.html
install doc/html/man7/provider.html -> /usr/local/openssl/share/doc/openssl/html/man7/provider.html
install doc/html/man7/proxy-certificates.html -> /usr/local/openssl/share/doc/openssl/html/man7/proxy-certificates.html
install doc/html/man7/x509.html -> /usr/local/openssl/share/doc/openssl/html/man7/x509.html
[root@localhost openssl-3.4.1]#
缺少error while loading shared libraries: libssl.so.3:
[root@localhost openssl-3.4.1]# /usr/local/openssl/bin/openssl
/usr/local/openssl/bin/openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory
[root@localhost openssl-3.4.1]# ln -s /usr/local/openssl/lib64/libssl.so.3 /usr/lib64/libssl.so.3
[root@localhost openssl-3.4.1]# ln -s /usr/local/openssl/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so.3
[root@localhost openssl-3.4.1]# /usr/local/openssl/bin/openssl version
OpenSSL 3.4.1 11 Feb 2025 (Library: OpenSSL 3.4.1 11 Feb 2025)
[root@localhost openssl-3.4.1]# whereis openssl
openssl: /usr/lib64/openssl /usr/local/openssl
[root@localhost openssl-3.4.1]# openssl version
bash: openssl: command not found...
[root@localhost openssl-3.4.1]# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
[root@localhost openssl-3.4.1]# openssl version
OpenSSL 3.4.1 11 Feb 2025 (Library: OpenSSL 3.4.1 11 Feb 2025)
[root@localhost openssl-3.4.1]#
安装openssh
删除原有的openssh
[root@localhost openssh-9.9p2]# rpm -qa | grep openssh
openssh-clients-7.4p1-16.el7.x86_64
openssh-7.4p1-16.el7.x86_64
openssh-server-7.4p1-16.el7.x86_64
[root@localhost openssh-9.9p2]# rpm -e --nodeps openssh-server
[root@localhost openssh-9.9p2]# rpm -e --nodeps openssh-
error: package openssh- is not installed
[root@localhost openssh-9.9p2]# rpm -e --nodeps openssh
[root@localhost openssh-9.9p2]# rpm -e --nodeps openssh-clients
[root@localhost openssh-9.9p2]# rpm -qa | grep openssh
[root@localhost openssh-9.9p2]#
切换源码目录,执行编译
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl/ --with-zlib=/usr/local/zlib/ --with-ssl-engine
make && make install
查看版本
[root@localhost openssh-9.9p2]# /usr/bin/ssh -V
OpenSSH_9.9p2, OpenSSL 3.4.1 11 Feb 2025
拷贝sshd执行文件
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
[root@localhost openssh-9.9p2]# cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp: overwrite ‘/etc/init.d/sshd’? y
[root@localhost openssh-9.9p2]# /etc/init.d/sshd
Usage: /etc/init.d/sshd {start|stop|restart|reload|condrestart|status}
[root@localhost openssh-9.9p2]# /etc/init.d/sshd start
Reloading systemd: [ OK ]
Starting sshd (via systemctl): [ OK ]
[root@localhost openssh-9.9p2]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
Active: active (running) since Mon 2025-03-31 02:17:16 PDT; 9s ago
Docs: man:systemd-sysv-generator(8)
Process: 124507 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
Main PID: 124515 (sshd)
Tasks: 1
CGroup: /system.slice/sshd.service
└─124515 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups
Mar 31 02:17:16 localhost.localdomain systemd[1]: Starting SYSV: OpenSSH server daemon...
Mar 31 02:17:16 localhost.localdomain sshd[124507]: /sbin/restorecon: lstat(/etc/ssh/ssh_host_dsa_key.pub) failed: No such file or directory
Mar 31 02:17:16 localhost.localdomain sshd[124515]: Server listening on 0.0.0.0 port 22.
Mar 31 02:17:16 localhost.localdomain sshd[124515]: Server listening on :: port 22.
Mar 31 02:17:16 localhost.localdomain sshd[124507]: Starting sshd:[ OK ]
Mar 31 02:17:16 localhost.localdomain systemd[1]: Started SYSV: OpenSSH server daemon.
[root@localhost openssh-9.9p2]# ll /etc/ssh/ssh_host_dsa_key.pub
ls: cannot access /etc/ssh/ssh_host_dsa_key.pub: No such file or directory
[root@localhost openssh-9.9p2]#
修改配置文件添加root远程登录
vi /etc/ssh/sshd_config
PermitRootLogin yes
登录失败,检查日志输出为
[root@localhost openssh-9.9p2]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
Active: active (running) since Mon 2025-03-31 02:22:49 PDT; 38s ago
Docs: man:systemd-sysv-generator(8)
Process: 124672 ExecStop=/etc/rc.d/init.d/sshd stop (code=exited, status=0/SUCCESS)
Process: 124686 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
Main PID: 124694 (sshd)
Tasks: 3
CGroup: /system.slice/sshd.service
├─124694 sshd: /usr/sbin/sshd [listener] 1 of 10-100 startups
├─124705 sshd-session: root [priv]
└─124706 sshd-session: root [net]
Mar 31 02:22:49 localhost.localdomain sshd[124694]: Server listening on 0.0.0.0 port 22.
Mar 31 02:22:49 localhost.localdomain sshd[124694]: Server listening on :: port 22.
Mar 31 02:22:49 localhost.localdomain sshd[124686]: Starting sshd:[ OK ]
Mar 31 02:22:49 localhost.localdomain systemd[1]: Started SYSV: OpenSSH server daemon.
Mar 31 02:23:02 localhost.localdomain sshd-session[124628]: Connection closed by authenticating user admin 172.16.152.1 port 47766 [preauth]
Mar 31 02:23:04 localhost.localdomain sshd-session[124702]: error: Could not get shadow information for admin
Mar 31 02:23:04 localhost.localdomain sshd-session[124702]: Failed password for admin from 172.16.152.1 port 46948 ssh2
Mar 31 02:23:16 localhost.localdomain sshd-session[124702]: Connection closed by authenticating user admin 172.16.152.1 port 46948 [preauth]
Mar 31 02:23:25 localhost.localdomain sshd-session[124705]: error: Could not get shadow information for root
Mar 31 02:23:25 localhost.localdomain sshd-session[124705]: Failed password for root from 172.16.152.1 port 38126 ssh2
[root@localhost openssh-9.9p2]#
临时关闭selinux,重新尝试登录成功
sudo setenforce 0
登录成功
wx@wx:~$ ssh admin@172.16.152.129
admin@172.16.152.129's password:
Last login: Mon Mar 31 02:31:33 2025 from 172.16.152.1
[admin@localhost ~]$
使用telnet测试ssh版本
wx@wx:~$ telnet 172.16.152.129 22
Trying 172.16.152.129...
Connected to 172.16.152.129.
Escape character is '^]'.
SSH-2.0-OpenSSH_9.9
配置sshd服务开机自启动
[root@localhost openssh-9.9p2]# systemctl enable sshd
sshd.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig sshd on
[root@localhost openssh-9.9p2]#
升级成功