Linux TCP漏洞 CVE-2019-11477 CentOS7 修复方法
CVE-2019-11477漏洞简单介绍 https://cert.360.cn/warning/detail?id=27d0c6b825c75d8486c446556b9c9b68
RedHat用户可以使用以下脚本来检查系统是否存在漏洞 https://access.redhat.com/sites/default/files/cve-2019-11477--2019-06-17-1629.sh
AWS CVE-2019-11477漏洞解决方案文档 https://amazonaws-china.com/cn/security/security-bulletins/AWS-2019-005/?from=groupmessage
阿里云解决方案文档 https://help.aliyun.com/noticelist/articleid/1060012493.html?spm=a2c4g.789004748.n2.7.15386141GM8Eyl
Linux TCP漏洞 CVE-2019-11477 CentOS7 修复方法 https://www.cnblogs.com/wzstudy/p/11058328.html
1 直接升级内核修复(需重启机器)
#下载漏洞检测脚本
#[root@CentOS7 ~]# wget https://access.redhat.com/sites/default/files/cve-2019-11477--2019-06-17-1629.sh
#[root@CentOS7 ~]# ll
总用量 36
-rw-------. 1 root root 1608 3月 19 09:44 anaconda-ks.cfg
-rw-r--r-- 1 root root 28701 6月 18 01:00 cve-2019-11477--2019-06-17-1629.sh
#查看当前内核
[root@CentOS7 ~]# rpm -qa|grep kernel
kernel-3.10.0-957.5.1.el7.x86_64
kernel-headers-3.10.0-957.5.1.el7.x86_64
kernel-devel-3.10.0-957.el7.x86_64
kernel-devel-3.10.0-957.5.1.el7.x86_64
kernel-tools-libs-3.10.0-957.5.1.el7.x86_64
kernel-tools-3.10.0-957.5.1.el7.x86_64
abrt-addon-kerneloops-2.1.11-52.el7.centos.x86_64
kernel-3.10.0-957.el7.x86_64
#执行脚本查看当前漏洞情况
#[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Running kernel: 3.10.0-957.5.1.el7.x86_64
This system is Vulnerable
* Running kernel is vulnerable
For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack
#更新内核
#[root@CentOS7 ~]# yum update kernel
#[root@CentOS7 ~]# rpm -qa|grep kernel
kernel-3.10.0-957.5.1.el7.x86_64
kernel-3.10.0-957.21.3.el7.x86_64
kernel-headers-3.10.0-957.5.1.el7.x86_64
kernel-devel-3.10.0-957.el7.x86_64
kernel-devel-3.10.0-957.5.1.el7.x86_64
kernel-tools-libs-3.10.0-957.5.1.el7.x86_64
kernel-tools-3.10.0-957.5.1.el7.x86_64
abrt-addon-kerneloops-2.1.11-52.el7.centos.x86_64
kernel-3.10.0-957.el7.x86_64
#升级内核后,再次执行检查情况
#[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Running kernel: 3.10.0-957.5.1.el7.x86_64
This system is Vulnerable
* Running kernel is vulnerable
For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack
#重启机器生效
#[root@CentOS7 ~]# reboot
#重启后检查漏洞情况,当前系统不受影响
#[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Running kernel: 3.10.0-957.21.3.el7.x86_64
This system is Not affected
For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack
2 修改内核参数修复(临时方法,不用重启机器)
#[root@CentOS7 ~]# wget https://access.redhat.com/sites/default/files/cve-2019-11477--2019-06-17-1629.sh
#检查当前漏洞情况,当前系统脆弱
[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Running kernel: 3.10.0-957.5.1.el7.x86_64
This system is Vulnerable
* Running kernel is vulnerable
For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack
#修改内核参数
[root@CentOS7 ~]# echo 0 > /proc/sys/net/ipv4/tcp_sack
#检查当前漏洞情况
[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Running kernel: 3.10.0-957.5.1.el7.x86_64
This system is Mitigated
* Running kernel is vulnerable
* sysctl mitigation is applied
For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack
#重启后失效,仅建议临时使用,或写进sysctl.conf配置文件内
3 建议
可以先采用临时方法修改内核参数,当前生效。
然后把内核升级,等可以重启的时候自动就生效了