OpenSSH 核弹级漏洞CVE-2024-6387

Qualys 今天公布了他们在 OpenSSH 服务器中发现的一个安全漏洞，该漏洞可导致远程、非认证代码执行。在 Linux 环境下使用 GNU C 库（glibc）运行的 OpenSSH 服务器容易受到 CVE-2024-6387 的攻击，该漏洞被称为"RegreSSHion"，是"SSH"和"regression"的谐音。

OpenSSH 服务器中的信号处理器竞赛条件可导致未经验证的远程代码执行。Linux 上多年前的多个 OpenSSH 版本都受到了影响。

CVE-2024-6387 影响范围较大，请立即验证并修复，验证脚本如下：

import socketimport argparseimport ipaddressimport threadingfrom queue import Queuedef is_port_open(ip, port):    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    sock.settimeout(1)    try:        sock.connect((ip, port))        sock.close()        return True    except:        return Falsedef get_ssh_banner(ip, port):    try:        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)        sock.settimeout(2)        sock.connect((ip, port))        banner = sock.recv(1024).decode().strip()        sock.close()        return banner    except Exception as e:        return str(e)def check_vulnerability(ip, port, result_queue):    if not is_port_open(ip, port):        result_queue.put((ip, port, 'closed', "Port closed"))        return    banner = get_ssh_banner(ip, port)    if "SSH-2.0-OpenSSH" not in banner:        result_queue.put((ip, port, 'failed', f"Failed to retrieve SSH banner: {banner}"))        return    vulnerable_versions = [        'SSH-2.0-OpenSSH_8.5p1',        'SSH-2.0-OpenSSH_8.6p1',        'SSH-2.0-OpenSSH_8.7p1',        'SSH-2.0-OpenSSH_8.8p1',        'SSH-2.0-OpenSSH_8.9p1',        'SSH-2.0-OpenSSH_9.0p1',        'SSH-2.0-OpenSSH_9.1p1',        'SSH-2.0-OpenSSH_9.2p1',        'SSH-2.0-OpenSSH_9.3p1',        'SSH-2.0-OpenSSH_9.4p1',        'SSH-2.0-OpenSSH_9.5p1',        'SSH-2.0-OpenSSH_9.6p1',        'SSH-2.0-OpenSSH_9.7p1'    ]    if any(version in banner for version in vulnerable_versions):        result_queue.put((ip, port, 'vulnerable', f"(running {banner})"))    else:        result_queue.put((ip, port, 'not_vulnerable', f"(running {banner})"))def main():    parser = argparse.ArgumentParser(description="Check if servers are running a vulnerable version of OpenSSH.")    parser.add_argument("targets", nargs='+', help="IP addresses, domain names, file paths containing IP addresses, or CIDR network ranges.")    parser.add_argument("--port", type=int, default=22, help="Port number to check (default: 22).")    args = parser.parse_args()    targets = args.targets    port = args.port    ips = []    for target in targets:        try:            with open(target, 'r') as file:                ips.extend(file.readlines())        except IOError:            if '/' in target:                try:                    network = ipaddress.ip_network(target, strict=False)                    ips.extend([str(ip) for ip in network.hosts()])                except ValueError:                    print(f" [-] Invalid CIDR notation: {target}")            else:                ips.append(target)    result_queue = Queue()    threads = []    for ip in ips:        ip = ip.strip()        thread = threading.Thread(target=check_vulnerability, args=(ip, port, result_queue))        thread.start()        threads.append(thread)    for thread in threads:        thread.join()    total_scanned = len(ips)    closed_ports = 0    not_vulnerable = []    vulnerable = []    while not result_queue.empty():        ip, port, status, message = result_queue.get()        if status == 'closed':            closed_ports += 1        elif status == 'vulnerable':            vulnerable.append((ip, message))        elif status == 'not_vulnerable':            not_vulnerable.append((ip, message))        else:            print(f" [!] Server at {ip}:{port} is {message}")    print(f"\n Servers not vulnerable: {len(not_vulnerable)}\n")    for ip, msg in not_vulnerable:        print(f"   [+] Server at {ip} {msg}")    print(f"\n Servers likely vulnerable: {len(vulnerable)}\n")    for ip, msg in vulnerable:        print(f"   [+] Server at {ip} {msg}")    print(f"\n Servers with port 22 closed: {closed_ports}")    print(f"\n Total scanned targets: {total_scanned}\n")if __name__ == "__main__":    main()

Usage

python CVE-2024-6387_Check.py <targets> [--port PORT]

Examples

Single IP

python CVE-2024-6387_Check.py 192.168.1.1

Multiple IPs and Domains

python CVE-2024-6387_Check.py 192.168.1.1 example.com 192.168.1.2

CIDR Range

python CVE-2024-6387_Check.py 192.168.1.0/24

With Custom Port

python CVE-2024-6387_Check.py 192.168.1.1 example.com --port 2222

目前网上已经有利用脚本，需要立即升级。如：

https://github.com/zgzhang/cve-2024-6387-poc

https://github.com/acrono/cve-2024-6387-poc

关注公众号：拾黑（shiheibook）了解更多

[广告]赞助链接：

四季很好，只要有你，文娱排行榜：https://www.yaopaiming.com/
让资讯触达的更精准有趣：https://www.0xu.cn/