In today’s digital world, security is paramount. Recently, a critical vulnerability, CVE-2024-6387, was found in OpenSSH. This post offers a straightforward script to help you identify and fix this issue, ensuring your system remains secure.
CVE-2024-6387 is a serious flaw in OpenSSH that can allow remote attackers to execute code on your system. Addressing this vulnerability promptly is crucial to safeguard your data.
This script checks your OpenSSH version, determines if it’s vulnerable, updates OpenSSH if needed, and applies a temporary mitigation if the update fails.
#!/bin/bash
# Checks for and remediates the CVE-2024-6387 vulnerability in OpenSSH.
# Attempt to update OpenSSH to the latest version, if the update fails, then apply a temporary mitigation
# by setting LoginGraceTime to 0 in the sshd_config file.
# Note: This temporary mitigation may expose the system to DoS attacks.
# Based on information provided by https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
# Script provided by DropDeadDick.com
# Get OpenSSH version
get_ssh_version() {
sshd -V 2>&1 | grep -oP '(?<=OpenSSH_)\d+\.\d+p\d+'
}
# Check if the system is vulnerable
is_vulnerable() {
version=$(get_ssh_version)
if [[ "$version" < "4.4p1" || ( "$version" > "8.4p1" && "$version" < "8.7p1" && "$version" != "8.7p1-38.el9.alma.2" ) ]]; then
return 0 # Vulnerable
else
return 1 # Not vulnerable
fi
}
# Remediate the vulnerability
remediate() {
echo -e "\e[33mUpdating OpenSSH to the latest version...\e[0m"
if [[ -f /etc/debian_version ]]; then
apt-get update
apt-get install -y openssh-server
elif [[ -f /etc/redhat-release ]]; then
yum update -y openssh-server
else
echo "Unsupported OS"
exit 1
fi
echo -e "\nRestarting sshd service...\n"
systemctl restart sshd
is_vulnerable # Check if still vulnerable after update
return $? # Return the result of the vulnerability check
}
# Apply temporary mitigation
mitigate() {
echo -e "\e[33mApplying temporary mitigation by setting LoginGraceTime to 0...\e[0m"
sed -i 's/^#\?LoginGraceTime.*/LoginGraceTime 0/' /etc/ssh/sshd_config
echo -e "\nRestarting sshd service...\n"
systemctl restart sshd
echo -e "\e[32mTemporary mitigation applied. The system is now safe from remote code execution but may be vulnerable to DoS attacks.\e[0m"
}
# Main
if is_vulnerable; then
echo -e "\e[31mSystem is vulnerable to CVE-2024-6387.\e[0m"
remediate
if is_vulnerable; then
echo -e "\e[33mApplying temporary mitigation since the update was not successful.\e[0m"
mitigate
if is_vulnerable; then
echo -e "\e[31mSystem is still vulnerable but temporarily mitigated.\e[0m"
else
echo -e "\e[32mSystem is no longer vulnerable but temporarily mitigated.\e[0m"
fi
else
echo -e "\e[32mUpdate successful. The system is no longer vulnerable.\e[0m"
fi
else
echo -e "\e[32mSystem is not vulnerable to CVE-2024-6387.\e[0m"
fi
By using this script, you can protect your system from the CVE-2024-6387 vulnerability. Regular updates and proactive measures are essential for maintaining system security. Stay safe!