情報ソース
https://nvd.nist.gov/vuln/detail/CVE-2024-6387
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
本稿にたどり着いた方は既に事象を把握済みな気がしますので、確認方法と対応方法だけ記載します。
sudoについては省略し、記載しません。
1.確認
ssh -Vで確認せよと記載しているところもありますが、8.7p1が入っている環境で実際にやってみると、以下のように全く同じ表示になってしまいました。そのため、dnfで確認します。
アップデート前にssh -Vでバージョン確認
[root@AL ~]# ssh -V
OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022
アップデート後にssh -Vでバージョン確認
[root@AL ~]# ssh -V
OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022
1.1現行バージョン確認
rpmでバージョン確認
[root@AL ~]# rpm -q openssh openssh-server openssh-clients
openssh-8.7p1-38.el9.x86_64
openssh-server-8.7p1-38.el9.x86_64
openssh-clients-8.7p1-38.el9.x86_64
dnfでバージョンの確認
手順として正確ではないかもしれませんが、これでもわかります。
[root@AL ~]# dnf list installed |grep -i openssh
openssh.x86_64 8.7p1-38.el9 @anaconda
openssh-clients.x86_64 8.7p1-38.el9 @anaconda
openssh-server.x86_64 8.7p1-38.el9 @anaconda
これはダメなバージョンです。
1.2最新パッケージ確認
[root@AL ~]# dnf info openssh
Last metadata expiration check: 0:10:37 ago on Tue Jul 2 10:50:09 2024.
Installed Packages
Name : openssh
Version : 8.7p1
Release : 38.el9
Architecture : x86_64
Size : 1.9 M
Source : openssh-8.7p1-38.el9.src.rpm
Repository : @System
From repo : anaconda
Summary : An open source implementation of SSH protocol version 2
URL : http://www.openssh.com/portable.html
License : BSD
Description : SSH (Secure SHell) is a program for logging into and executing
: commands on a remote machine. SSH is intended to replace rlogin and
: rsh, and to provide secure encrypted communications between two
: untrusted hosts over an insecure network. X11 connections and
: arbitrary TCP/IP ports can also be forwarded over the secure channel.
:
: OpenSSH is OpenBSD's version of the last free version of SSH, bringing
: it up to date in terms of security and features.
:
: This package includes the core files necessary for both the OpenSSH
: client and server. To make this package useful, you should also
: install openssh-clients, openssh-server, or both.
Available Packages
Name : openssh
Version : 8.7p1
Release : 38.el9.alma.2
Architecture : x86_64
Size : 457 k
Source : openssh-8.7p1-38.el9.alma.2.src.rpm
Repository : baseos
Summary : An open source implementation of SSH protocol version 2
URL : http://www.openssh.com/portable.html
License : BSD
Description : SSH (Secure SHell) is a program for logging into and executing
: commands on a remote machine. SSH is intended to replace rlogin and
: rsh, and to provide secure encrypted communications between two
: untrusted hosts over an insecure network. X11 connections and
: arbitrary TCP/IP ports can also be forwarded over the secure channel.
:
: OpenSSH is OpenBSD's version of the last free version of SSH, bringing
: it up to date in terms of security and features.
:
: This package includes the core files necessary for both the OpenSSH
: client and server. To make this package useful, you should also
: install openssh-clients, openssh-server, or both.
38.el9.alma.2というリリースが本件対応したパッケージになります。
2.アップデート
openssh関連パッケージのアップデート
[root@AL ~]# dnf update openssh -y
Last metadata expiration check: 1:47:11 ago on Tue Jul 2 10:50:09 2024.
Dependencies resolved.
=====================================================================================================================
Package Architecture Version Repository Size
=====================================================================================================================
Upgrading:
openssh x86_64 8.7p1-38.el9.alma.2 baseos 457 k
openssh-clients x86_64 8.7p1-38.el9.alma.2 baseos 712 k
openssh-server x86_64 8.7p1-38.el9.alma.2 baseos 458 k
Transaction Summary
=====================================================================================================================
Upgrade 3 Packages
Total download size: 1.6 M
Downloading Packages:
(1/3): openssh-server-8.7p1-38.el9.alma.2.x86_64.rpm 4.1 MB/s | 458 kB 00:00
(2/3): openssh-8.7p1-38.el9.alma.2.x86_64.rpm 3.5 MB/s | 457 kB 00:00
(3/3): openssh-clients-8.7p1-38.el9.alma.2.x86_64.rpm 5.0 MB/s | 712 kB 00:00
---------------------------------------------------------------------------------------------------------------------
Total 1.7 MB/s | 1.6 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: openssh-8.7p1-38.el9.alma.2.x86_64 1/6
Upgrading : openssh-8.7p1-38.el9.alma.2.x86_64 1/6
Upgrading : openssh-clients-8.7p1-38.el9.alma.2.x86_64 2/6
Running scriptlet: openssh-clients-8.7p1-38.el9.alma.2.x86_64 2/6
Running scriptlet: openssh-server-8.7p1-38.el9.alma.2.x86_64 3/6
Upgrading : openssh-server-8.7p1-38.el9.alma.2.x86_64 3/6
Running scriptlet: openssh-server-8.7p1-38.el9.alma.2.x86_64 3/6
Running scriptlet: openssh-server-8.7p1-38.el9.x86_64 4/6
Cleanup : openssh-server-8.7p1-38.el9.x86_64 4/6
Running scriptlet: openssh-server-8.7p1-38.el9.x86_64 4/6
Running scriptlet: openssh-clients-8.7p1-38.el9.x86_64 5/6
Cleanup : openssh-clients-8.7p1-38.el9.x86_64 5/6
Cleanup : openssh-8.7p1-38.el9.x86_64 6/6
Running scriptlet: openssh-8.7p1-38.el9.x86_64 6/6
Verifying : openssh-8.7p1-38.el9.alma.2.x86_64 1/6
Verifying : openssh-8.7p1-38.el9.x86_64 2/6
Verifying : openssh-clients-8.7p1-38.el9.alma.2.x86_64 3/6
Verifying : openssh-clients-8.7p1-38.el9.x86_64 4/6
Verifying : openssh-server-8.7p1-38.el9.alma.2.x86_64 5/6
Verifying : openssh-server-8.7p1-38.el9.x86_64 6/6
Upgraded:
openssh-8.7p1-38.el9.alma.2.x86_64 openssh-clients-8.7p1-38.el9.alma.2.x86_64
openssh-server-8.7p1-38.el9.alma.2.x86_64
Complete!
3.確認
rpmでバージョン確認
[root@AL ~]# rpm -q openssh openssh-server openssh-clients
openssh-8.7p1-38.el9.alma.2.x86_64
openssh-server-8.7p1-38.el9.alma.2.x86_64
openssh-clients-8.7p1-38.el9.alma.2.x86_64
dnfでバージョンの確認
[root@AL ~]# dnf list installed |grep -i openssh
openssh.x86_64 8.7p1-38.el9.alma.2 @baseos
openssh-clients.x86_64 8.7p1-38.el9.alma.2 @baseos
openssh-server.x86_64 8.7p1-38.el9.alma.2 @baseos
ログを見るとアップデート時にsshdは再起動されているように見えますが、念のためsshdデーモンを再起動します。
sshdの再起動
[root@AL ~]#dnf restart sshd
secureログ確認
[root@AL ~]#cat /var/log/secure
Jul 2 12:44:01 AL sshd[52688]: Received signal 15; terminating.
Jul 2 12:44:01 AL sshd[55354]: Server listening on 0.0.0.0 port 22.
Jul 2 12:44:01 AL sshd[55354]: Server listening on :: port 22.
systemctlからログ確認
[root@AL ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: enabled)
Active: active (running) since Tue 2024-07-02 12:44:01 JST; 4min 3s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 55354 (sshd)
Tasks: 1 (limit: 23152)
Memory: 1.4M
CPU: 6ms
CGroup: /system.slice/sshd.service
└─55354 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
Jul 02 12:44:01 AL systemd[1]: Starting OpenSSH server daemon...
Jul 02 12:44:01 AL sshd[55354]: Server listening on 0.0.0.0 port 22.
Jul 02 12:44:01 AL sshd[55354]: Server listening on :: port 22.
Jul 02 12:44:01 AL systemd[1]: Started OpenSSH server daemon.
蛇足
実施後に気づきましたが、Almalinuxから本件の対応について以下リンクの通りページが公開されていました。