open ssh核弹级漏洞CVE-2024-6387

Qualys 今天公布了他们在 OpenSSH 服务器中发现的一个安全漏洞，该漏洞可导致远程、非认证代码执行。在 Linux 环境下使用 GNU C 库（glibc）运行的 OpenSSH 服务器容易受到 CVE-2024-6387 的攻击，该漏洞被称为"RegreSSHion"，是"SSH"和"regression"的谐音。

OpenSSH 服务器中的信号处理器竞赛条件可导致未经验证的远程代码执行。Linux 上多年前的多个 OpenSSH 版本都受到了影响。

CVE-2024-6387 影响范围较大，请立即验证并修复，验证脚本如下：

import socket
import argparse
import ipaddress
import threading
from queue import Queue
def is_port_open(ip, port):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(1)
    try:
        sock.connect((ip, port))
        sock.close()
        return True
    except:
        return False
def get_ssh_banner(ip, port):
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(2)
        sock.connect((ip, port))
        banner = sock.recv(1024).decode().strip()
        sock.close()
        return banner
    except Exception as e:
        return str(e)
def check_vulnerability(ip, port, result_queue):
    if not is_port_open(ip, port):
        result_queue.put((ip, port, 'closed', "Port closed"))
        return
    banner = get_ssh_banner(ip, port)
    if "SSH-2.0-OpenSSH" not in banner:
        result_queue.put((ip, port, 'failed', f"Failed to retrieve SSH banner: {banner}"))
        return
    vulnerable_versions = [
        'SSH-2.0-OpenSSH_8.5p1',
        'SSH-2.0-OpenSSH_8.6p1',
        'SSH-2.0-OpenSSH_8.7p1',
        'SSH-2.0-OpenSSH_8.8p1',
        'SSH-2.0-OpenSSH_8.9p1',
        'SSH-2.0-OpenSSH_9.0p1',
        'SSH-2.0-OpenSSH_9.1p1',
        'SSH-2.0-OpenSSH_9.2p1',
        'SSH-2.0-OpenSSH_9.3p1',
        'SSH-2.0-OpenSSH_9.4p1',
        'SSH-2.0-OpenSSH_9.5p1',
        'SSH-2.0-OpenSSH_9.6p1',
        'SSH-2.0-OpenSSH_9.7p1'
    ]
    if any(version in banner for version in vulnerable_versions):
        result_queue.put((ip, port, 'vulnerable', f"(running {banner})"))
    else:
        result_queue.put((ip, port, 'not_vulnerable', f"(running {banner})"))
def main():
    parser = argparse.ArgumentParser(description="Check if servers are running a vulnerable version of OpenSSH.")
    parser.add_argument("targets", nargs='+', help="IP addresses, domain names, file paths containing IP addresses, or CIDR network ranges.")
    parser.add_argument("--port", type=int, default=22, help="Port number to check (default: 22).")
    args = parser.parse_args()
    targets = args.targets
    port = args.port
    ips = []
    for target in targets:
        try:
            with open(target, 'r') as file:
                ips.extend(file.readlines())
        except IOError:
            if '/' in target:
                try:
                    network = ipaddress.ip_network(target, strict=False)
                    ips.extend([str(ip) for ip in network.hosts()])
                except ValueError:
                    print(f"❌ [-] Invalid CIDR notation: {target}")
            else:
                ips.append(target)
    result_queue = Queue()
    threads = []
    for ip in ips:
        ip = ip.strip()
        thread = threading.Thread(target=check_vulnerability, args=(ip, port, result_queue))
        thread.start()
        threads.append(thread)
    for thread in threads:
        thread.join()
    total_scanned = len(ips)
    closed_ports = 0
    not_vulnerable = []
    vulnerable = []
    while not result_queue.empty():
        ip, port, status, message = result_queue.get()
        if status == 'closed':
            closed_ports += 1
        elif status == 'vulnerable':
            vulnerable.append((ip, message))
        elif status == 'not_vulnerable':
            not_vulnerable.append((ip, message))
        else:
            print(f"⚠️ [!] Server at {ip}:{port} is {message}")
    print(f"\n🛡️ Servers not vulnerable: {len(not_vulnerable)}\n")
    for ip, msg in not_vulnerable:
        print(f"   [+] Server at {ip} {msg}")
    print(f"\n🚨 Servers likely vulnerable: {len(vulnerable)}\n")
    for ip, msg in vulnerable:
        print(f"   [+] Server at {ip} {msg}")
    print(f"\n🔒 Servers with port 22 closed: {closed_ports}")
    print(f"\n📊 Total scanned targets: {total_scanned}\n")
if __name__ == "__main__":
    main()

Usage

python CVE-2024-6387\_Check.py <targets\> \[--port PORT\]

Examples

Single IP

python CVE-2024-6387\_Check.py 192.168.1.1

Multiple IPs and Domains

python CVE-2024-6387\_Check.py 192.168.1.1 example.com 192.168.1.2

CIDR Range

python CVE-2024-6387\_Check.py 192.168.1.0/24

With Custom Port

python CVE-2024-6387\_Check.py 192.168.1.1 example.com --port 2222

目前网上已经有利用脚本，需要立即升级。如：

https://github.com/zgzhang/cve-2024-6387-poc
https://github.com/acrono/cve-2024-6387-poc