一、背景
基于近期护网要求安全核查,环境中发现涉及OpenSSL RSA存在远程代码执行漏洞,漏洞编号为:CVE-2022-2274,受影响版本OpenSSL<=3.0.4(除1.0.2和1.1.1之外,1.0.2和1.1.1为安全版本)。
现场环境:CentOS release 6.5 (Final)
openssl:OpenSSL 1.0.1e-fips 11 Feb 2013
也可参看之前的文章SSL/TLS协议信息泄露漏洞(CVE-2016-2183)处理。本文更简述,从执行层面叙述。
二、处理过程
1、基于漏洞描述,升级openssl版本即可。相比于其他库,比如glibc,处理过程相对安全。
2、检查确认当前openssl版本。执行
openssl version //输出如下
OpenSSL 1.0.1e-fips 11 Feb 2013
3、软件下载
wget --no-check-certificate https://www.openssl.org/source/openssl-1.1.1d.tar.gz
tar -xzf openssl-1.1.1d.tar.gz
cd openssl-1.1.1d
4、源文件备份
ldconfig -v|grep libssl* //查看当前ssl库版本
libss.so.2 -> libss.so.2.0
libssl.so.10 -> libssl.so.1.0.1e
libssh2.so.1 -> libssh2.so.1.0.1
libssl3.so -> libssl3.so
find /usr -name libssl.so* //确定文件位置
#查看文件
ll /usr/lib64/libssl.so.10
ll /usr/lib64/libssl.so //可看到这2个都指向/usr/lib64/ libssl.so.1.0.1e
ll /usr/lib64/libcrypto.so
ll /usr/lib64/libcrypto.so.10 //同理,这2个都指向/usr/lib64/libcrypto.so.1.0.1e
#执行备份
cp -pr /usr/lib64/libssl.so.1.0.1e /usr/lib64/libssl.so.1.0.1e.bak.20220709
cp -pr /usr/lib64/libcrypto.so.1.0.1e /usr/lib64/libcrypto.so.1.0.1e.bak.20220709
cp -pr /usr/lib/vmware-tools/lib64/libssl.so.1.0.1/libssl.so.1.0.1 /usr/lib/vmware-tools/lib64/libssl.so.1.0.1/libssl.so.1.0.1.bak.20220709
cp -pr /usr/lib/vmware-tools/lib32/libssl.so.1.0.1/libssl.so.1.0.1 /usr/lib/vmware-tools/lib32/libssl.so.1.0.1/libssl.so.1.0.1.bak.20220709
cp -pr /usr/lib/vmware-tools/lib32/libcrypto.so.1.0.1/libcrypto.so.1.0.1 /usr/lib/vmware-tools/lib32/libcrypto.so.1.0.1/libcrypto.so.1.0.1.bak.20220709
cp -pr /usr/lib/vmware-tools/lib64/libcrypto.so.1.0.1/libcrypto.so.1.0.1 /usr/lib/vmware-tools/lib64/libcrypto.so.1.0.1/libcrypto.so.1.0.1.bak.20220709
5、编译环境检查
gcc --version //输出如下
gcc (GCC) 4.4.7 20120313 (Red Hat 4.4.7-4)
g++ --version //输出如下
g++ (GCC) 4.4.7 20120313 (Red Hat 4.4.7-4)
make -v //输出如下
GNU Make 3.81
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
This program built for x86_64-redhat-linux-gnu
#检查zlibc
cat /usr/lib64/pkgconfig/zlib.pc |grep Version
Version: 1.2.3
6、编译openssl
../config --prefix=/usr shared zlib //目录与源保持一致
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1d (0x1010104fL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile
**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL file first) ***
*** ***
**********************************************************************
ls //编译后生成的文件如下
apps configdata.pm crypto engines fuzz include Makefile ms ssl test tools util
make depend
make test
make //输出类似如下
……
chmod a+x util/shlib_wrap.sh
make[1]: Leaving directory `/root/openssl-1.1.1d/build'
#查看文件
apps engines libcrypto.a libcrypto.so libssl.map libssl.so.1.1 openssl.pc tools
configdata.pm fuzz libcrypto.map libcrypto.so.1.1 libssl.pc Makefile ssl util
crypto include libcrypto.pc libssl.a libssl.so ms test
#如果不想make install,可直接执行如下:
mv /usr/bin/openssl /usr/bin/openssl.bak.20220709
cp ./apps/openssl /usr/bin/
cp ./libssl.so.1.1 /usr/lib64/
cp ./libcrypto.so.1.1 /usr/lib64/
rm -rf /usr/lib64/libssl.so
ln -s /usr/lib64/libssl.so.1.1 /usr/lib64/libssl.so
#验证
openssl version
OpenSSL 1.1.1d 10 Sep 2019
#补充,不手动执行,直接make install
make install //实际验证,与上效果一样,更简单
#验证
openssl version
OpenSSL 1.1.1d 10 Sep 2019
ll /usr/lib64/libssl.so
lrwxrwxrwx. 1 root root 13 7月 9 12:15 /usr/lib64/libssl.so -> libssl.so.1.1
ll /usr/lib64/libcrypto.so
lrwxrwxrwx. 1 root root 16 7月 9 12:15 /usr/lib64/libcrypto.so -> libcrypto.so.1.1
三、自动化升级
3.1、Ansible Playbook
- name: update openssl
hosts: 存储主机名的文本
gather_facts: false
remote_user: root
tasks:
- name: copy package
copy: src=openssl-1.0.2u.tar.gz dest=/tmp/openssl-1.0.2u.tar.gz
tags: cppkg
- name: tar openssl
shell: cd /tmp;tar -xf openssl-1.0.2u.tar.gz
- name: install gcc perl
shell: yum install -y gcc perl;
- name: install openssl
shell: cd /tmp/openssl-1.0.2u;./config;make;make install
- name: change
shell: mv /usr/bin/openssl /usr/bin/openssl.bak;mv /usr/include/openssl /usr/include/openssl.bak;ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl;ln -s /usr/local/ssl/include/openssl/ /usr/include/openssl;ech
o "/usr/local/ssl/lib" >> /etc/ld.so.conf;ldconfig -v;chmod 755 /usr/local/ssl/;chmod 755 /usr/local/ssl/bin/;
- name: version
shell: openssl version
register: openssl_version
- name: show
debug: var=openssl_version verbosity=0
3.2 脚本(尚未完成调试)
#!/bin/bash
parent_path=$( cd "$(dirname $0)"; pwd -P )
cd "$parent_path"
clear
echo ------------------------------------------
echo openssl升级到1.1.1d
echo 生产环境请检查修改脚本适配你的环境
echo ------------------------------------------
sleep 3s
clear
echo "安装环境检查……"
sleep 1s
gcc --version && g++ --version && make -v && cat /usr/lib64/pkgconfig/zlib.pc |grep Version
if [ $? = 0 ];then
echo "当前环境已准备就绪,可以开始安装openssl"
else
echo "请安装对应软件后,再次尝试"
fi
clear
echo "软件下载中……"
wget --no-check-certificate https://www.openssl.org/source/openssl-1.1.1d.tar.gz
#如果主机不联网,注释上一行,然后开启下一行
#/usr/bin/scp 带外ip:/root/openssl-1.1.1d.tar.gz ./
echo "$(date +%F-%T) 安装openssl开始……" >> update.log
sleep 2s
tar -zxvf openssl-1.1.1d.tar.gz
sleep 2s
cd openssl-1.1.1d && mkdir build
cd build
cp -pr /usr/lib64/libssl.so.1.0.1e /usr/lib64/libssl.so.1.0.1e.bak.$(date +%F-%T)
cp -pr /usr/lib64/libcrypto.so.1.0.1e /usr/lib64/libcrypto.so.1.0.1e.bak.$(date +%F-%T)
cp -pr /usr/bin/openssl /usr/bin/openssl.bak.$(date +%F-%T)
../config --prefix=/usr shared zlib
make
sleep 1s
make install
#验证
/usr/bin/openssl version |grep '1.1.1d'
if [ $? = 0 ] ;then
echo "$(date +%F-%T) 安装openssl结束…… ">> update.log
else
echo "Failed,please check and play a try again"
exit 0
fi
sleep 1s
clear
# 如果只允许上面代码,最后追加exit
echo ------------------------------------------
echo "开始对openssh升级到8.6p1!"
echo ------------------------------------------
echo "$(date +%F-%T) 安装openssh开始……" >> update.log
sleep 2s
cp -ra /etc/ssh /etc/ssh_bak.$(date +%F-%T)
cp -ra /etc/pam.d/ /etc/pam.d_bak.$(date +%F-%T)
wget --no-check-certificate https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.6p1.tar.gz
rpm -e --nodeps `rpm -qa | grep openssh`
tar -zxvf openssh-8.6p1.tar.gz
cd openssh-8.6p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --without-hardening
make
make install
sleep 1s
clear
chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod u+x /etc/init.d/sshd
ssh -V|grep "8.6"
if [ $? = 0 ]; then
echo "ssh 升级完成"
else
echo "ssh 升级失败"
fi
exit 0
调试输出过程如下:
……
/usr/share/doc/openssl/html/man7/x509.html
+ /usr/bin/openssl version
+ grep 1.1.1d
OpenSSL 1.1.1d 10 Sep 2019
+ '[' 0 = 0 ']'
++ date +%F-%T
+ echo '2022-07-09-17:37:37 安装openssl结束…… '
+ sleep 1s
+ clear
+ exit
