本文介绍了如何在 CentOS 7 中修复CVE-2019-11477漏洞,包括直接升级内核、使用漏洞检测脚本、临时修改内核参数以及后续重启验证。
1 直接升级内核修复(需重启机器)
#下载漏洞检测脚本
#[root@CentOS7 ~]# wget https://access.redhat.com/sites/default/files/cve-2019-11477--2019-06-17-1629.sh
#[root@CentOS7 ~]# ll
总用量 36
-rw-------. 1 root root 1608 3月 19 09:44 anaconda-ks.cfg
-rw-r--r-- 1 root root 28701 6月 18 01:00 cve-2019-11477--2019-06-17-1629.sh
#查看当前内核
[root@CentOS7 ~]# rpm -qa|grep kernel
kernel-3.10.0-957.5.1.el7.x86_64
kernel-headers-3.10.0-957.5.1.el7.x86_64
kernel-devel-3.10.0-957.el7.x86_64
kernel-devel-3.10.0-957.5.1.el7.x86_64
kernel-tools-libs-3.10.0-957.5.1.el7.x86_64
kernel-tools-3.10.0-957.5.1.el7.x86_64
abrt-addon-kerneloops-2.1.11-52.el7.centos.x86_64
kernel-3.10.0-957.el7.x86_64
#执行脚本查看当前漏洞情况
#[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Running kernel: 3.10.0-957.5.1.el7.x86_64
This system is Vulnerable
* Running kernel is vulnerable
For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack
#更新内核
#[root@CentOS7 ~]# yum update kernel
#[root@CentOS7 ~]# rpm -qa|grep kernel
kernel-3.10.0-957.5.1.el7.x86_64
kernel-3.10.0-957.21.3.el7.x86_64
kernel-headers-3.10.0-957.5.1.el7.x86_64
kernel-devel-3.10.0-957.el7.x86_64
kernel-devel-3.10.0-957.5.1.el7.x86_64
kernel-tools-libs-3.10.0-957.5.1.el7.x86_64
kernel-tools-3.10.0-957.5.1.el7.x86_64
abrt-addon-kerneloops-2.1.11-52.el7.centos.x86_64
kernel-3.10.0-957.el7.x86_64
#升级内核后,再次执行检查情况
#[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Running kernel: 3.10.0-957.5.1.el7.x86_64
This system is Vulnerable
* Running kernel is vulnerable
For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack
#重启机器生效
#[root@CentOS7 ~]# reboot
#重启后检查漏洞情况,当前系统不受影响
#[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Running kernel: 3.10.0-957.21.3.el7.x86_64
This system is Not affected
For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack
2 修改内核参数修复(临时方法,不用重启机器)
#[root@CentOS7 ~]# wget https://access.redhat.com/sites/default/files/cve-2019-11477--2019-06-17-1629.sh
#检查当前漏洞情况,当前系统脆弱
[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Running kernel: 3.10.0-957.5.1.el7.x86_64
This system is Vulnerable
* Running kernel is vulnerable
For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack
#修改内核参数
[root@CentOS7 ~]# echo 0 > /proc/sys/net/ipv4/tcp_sack
#检查当前漏洞情况
[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Running kernel: 3.10.0-957.5.1.el7.x86_64
This system is Mitigated
* Running kernel is vulnerable
* sysctl mitigation is applied
For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack
#重启后失效,仅建议临时使用,或写进sysctl.conf配置文件内
3 建议
可以先采用临时方法修改内核参数,当前生效。 然后把内核升级,等可以重启的时候自动就生效了
原文出处:https://www.cnblogs.com/wzstudy/p/11058328.html
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
