发布时间 2024-07-02
漏洞详情
漏洞概述
危害描述:未经身份验证的攻击者可以利用此漏洞在Linux系统上以root身份执行任意代码。
影响范围
版本 < 4.4p1
8.5p1 <= 版本 < 9.8p1
CVE-2024-6387影响范围较大,各单位、合作伙伴可借助众智维科技天巢SkyNest安全风险运营平台漏洞检测模块快速实现资产漏洞检测,针对结果及时通报相关部门,分发任务至相关安全处置人员,实现该漏洞高效、高质量处置。
新漏洞处置架构图
01 检测策略—多样化自动化执行、特定周期执行
02 检测结果—自动化邮件输出《漏洞检测报告》
03 快速处置—派单、跨部门沟通
参考验证脚本如下:
import socket
import argparse
import ipaddress
import threading
from queue import Queue
def is_port_open(ip, port):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(1)
try:
sock.connect((ip, port))
sock.close()
return True
except:
return False
def get_ssh_banner(ip, port):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(2)
sock.connect((ip, port))
banner = sock.recv(1024).decode().strip()
sock.close()
return banner
except Exception as e:
return str(e)
def check_vulnerability(ip, port, result_queue):
if not is_port_open(ip, port):
result_queue.put((ip, port, 'closed', "Port closed"))
return
banner = get_ssh_banner(ip, port)
if "SSH-2.0-OpenSSH" not in banner:
result_queue.put((ip, port, 'failed', f"Failed to retrieve SSH banner: {banner}"))
return
vulnerable_versions = [
'SSH-2.0-OpenSSH_8.5p1',
'SSH-2.0-OpenSSH_8.6p1',
'SSH-2.0-OpenSSH_8.7p1',
'SSH-2.0-OpenSSH_8.8p1',
'SSH-2.0-OpenSSH_8.9p1',
'SSH-2.0-OpenSSH_9.0p1',
'SSH-2.0-OpenSSH_9.1p1',
'SSH-2.0-OpenSSH_9.2p1',
'SSH-2.0-OpenSSH_9.3p1',
'SSH-2.0-OpenSSH_9.4p1',
'SSH-2.0-OpenSSH_9.5p1',
'SSH-2.0-OpenSSH_9.6p1',
'SSH-2.0-OpenSSH_9.7p1'
]
if any(version in banner for version in vulnerable_versions):
result_queue.put((ip, port, 'vulnerable', f"(running {banner})"))
else:
result_queue.put((ip, port, 'not_vulnerable', f"(running {banner})"))
def main():
parser = argparse.ArgumentParser(description="Check if servers are running a vulnerable version of OpenSSH.")
parser.add_argument("targets", nargs='+', help="IP addresses, domain names, file paths containing IP addresses, or CIDR network ranges.")
parser.add_argument("--port", type=int, default=22, help="Port number to check (default: 22).")
args = parser.parse_args()
targets = args.targets
port = args.port
ips = []
for target in targets:
try:
with open(target, 'r') as file:
ips.extend(file.readlines())
except IOError:
if '/' in target:
try:
network = ipaddress.ip_network(target, strict=False)
ips.extend([str(ip) for ip in network.hosts()])
except ValueError:
print(f"❌ [-] Invalid CIDR notation: {target}")
else:
ips.append(target)
result_queue = Queue()
threads = []
for ip in ips:
ip = ip.strip()
thread = threading.Thread(target=check_vulnerability, args=(ip, port, result_queue))
thread.start()
threads.append(thread)
for thread in threads:
thread.join()
total_scanned = len(ips)
closed_ports = 0
not_vulnerable = []
vulnerable = []
while not result_queue.empty():
ip, port, status, message = result_queue.get()
if status == 'closed':
closed_ports += 1
elif status == 'vulnerable':
vulnerable.append((ip, message))
elif status == 'not_vulnerable':
not_vulnerable.append((ip, message))
else:
print(f"⚠️ [!] Server at {ip}:{port} is {message}")
print(f"\n🛡️ Servers not vulnerable: {len(not_vulnerable)}\n")
for ip, msg in not_vulnerable:
print(f" [+] Server at {ip} {msg}")
print(f"\n🚨 Servers likely vulnerable: {len(vulnerable)}\n")
for ip, msg in vulnerable:
print(f" [+] Server at {ip} {msg}")
print(f"\n🔒 Servers with port 22 closed: {closed_ports}")
print(f"\n📊 Total scanned targets: {total_scanned}\n")
if __name__ == "__main__":
main()
安全措施
解决或缓解OpenSSH中的regreSSHion漏洞,建议采取以下措施:
01 升级OpenSSH服务器的最新可用更新(版本9.8p1),修复漏洞。
官方补丁下载地址:
https://www.openssh.com/releasenotes.html
02 使用防火墙等网络控制手段限制SSH访问,并实施网络分段以防止横向移动(指网络攻击者或威胁行为者在搜索最终成为攻击活动目标的关键数据和资产时用来逐步在网络中移动的技术)。
03 如果OpenSSH服务器无法立即更新,可在sshd配置文件中将 "LoginGraceTime" 设置为0,但要注意这可能会使服务器遭受拒绝服务攻击。
天巢SkyNest处置方案
资产发现与风险辅助决策
通过自动化资产发现与管理,能够识别企业网络中的各类资产,包括服务器、网络设备、数据库、应用系统等,并提供详细的资产清单和属性信息。内置威胁情报关联引擎,自动比对内置或第三方的安全威胁情报,结合企业网络的实际环境,进行实时的风险监测和预警。平台能够识别恶意IP地址、恶意域名、恶意资产等威胁源,并提供详细的情报信息和风险评级,帮助用户及时应对安全威胁。
可视化运营与应急协同处置
【CVE-2024-6387】响应处置剧本及方案联动防火墙、情报系统、钉钉通讯、邮件系统、RedOps红鲸智能安全运营平台、天巢SkyNest安全风险运营平台等完成协同处置,实现MTTR<30分钟响应效率。此外,还具备开展漏洞联防联控能力,能够与其他安全服务供应商和监管机构共享风险信息和解决方案。
红鲸RedOps自动化处置Playbook
天巢SkyNest资产风险图更新
参考链接
https://github.com/zgzhang/cve-2024-6387-poc
https://github.com/acrono/cve-2024-6387-poc
https://blog.qualys.com/vulnerabilities-threatresearch/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
我们时刻关注客户需求,为您提供最新漏洞信息。如果您想了解更详细的支持信息,可联系下方邮箱或者电话进行咨询!
01support@openxorg.com
400-0133-123