博客

Centos7修复OpenSSL拒绝服务漏洞(CVE-2022-0778)

  • Post author:
  • Post category:其他




前言:


centos7环境下OpenSSL拒绝服务漏洞(CVE-2022-0778)


漏洞影响范围:

  • OpenSSL1.0.2
  • OpenSSL1.1.1
  • OpenSSL3.0

    OpenSSL拒绝服务漏洞(CVE-2022-0778):该漏洞是由于OpenSSL中的BN_mod_sqrt()函数存在解析错误,由于证书解析发生在证书签名验证之前,因此任何解析外部提供的证书场景都可能受到拒绝服务攻击,攻击者可在未授权的情况下通过构造特定证书来触发无限循环,执行拒绝服务攻击,最终使服务器无法提供服务。



步骤


下载openssl和openssh最新版本上传至服务器:



openssl下载


openssh下载



第1步


查看当前openssl和openssh版本
 

[root@node1~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
[root@node1~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017



第2步


编译安装 OpenSSL (需要gcc环境)
 

[root@node1~]# tar -xzvf openssl-1.1.1n.tar.gz 
[root@node1~]# cd openssl-1.1.1n/
[root@node1 openssl-1.1.1n]# ./config --prefix=/usr/local/openssl-1.1.1n --shared
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1n (0x101010efL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile

**********************************************************************
***                                                                ***
***   OpenSSL has been successfully configured                     ***
***                                                                ***
***   If you encounter a problem while building, please open an    ***
***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
***   and include the output from the following command:           ***
***                                                                ***
***       perl configdata.pm --dump                                ***
***                                                                ***
***   (If you are new to OpenSSL, you might want to consult the    ***
***   'Troubleshooting' section in the INSTALL file first)         ***
***                                                                ***
**********************************************************************
[root@node1 openssl-1.1.1n]# make && make install
[root@node1 openssl-1.1.1n]# mv /usr/bin/openssl /usr/bin/openssl.bak
[root@node1 openssl-1.1.1n]# mv /usr/include/openssl /usr/include/openssl.bak
[root@node1 openssl-1.1.1n]# ln -s /usr/local/openssl-1.1.1n/bin/openssl /usr/bin/openssl
[root@node1 openssl-1.1.1n]# ln -s /usr/local/openssl-1.1.1n/include/openssl /usr/include/openssl
[root@node1 openssl-1.1.1n]# echo "/usr/local/openssl-1.1.1n/lib">>/etc/ld.so.conf
[root@node1 openssl-1.1.1n]# ldconfig



第3步


编译安装 OpenSSH 之后重启sshd服务
 

[root@localhost ~]# yum install pam-devel libselinux-devel zlib-devel openssl-devel
[root@localhost ~]# tar -zxvf openssh-8.9p1.tar.gz
[root@localhost ~]# cd openssh-8.9p1
[root@localhost openssh-8.9p1]# mv /etc/ssh /etc/ssh.bak
[root@localhost openssh-8.9p1]# ./configure --with-md5-passwords --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl-1.1.1n/lib
[root@localhost openssh-8.9p1]# make && make install
[root@localhost openssh-8.9p1]# mv /etc/ssh.bak/sshd_config /etc/ssh/sshd_config
[root@localhost openssh-8.9p1]#  systemctl daemon-reload
[root@localhost openssh-8.9p1]#  systemctl restart sshd

完成修复

踩到的坑

在编译openssh时提示openSSL library not found

解决办法

删除

yum remove openssl-devel

重新下载

yum install openssl-devel

重新编译openssl和openssh(重新执行第2,第3步)


版权声明:本文为u011662047原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。