Ubuntu升级OpenSSL至1.1.1g版本以修复高危漏洞CVE-2020-1967

漏洞信息

收到腾讯云提示:

2020年04月21日OpenSSL 官方发布了 TLS 1.3 组件拒绝服务漏洞的风险通告,
当服务端或客户端程序收到一个无效或无法识别的签名算法时
可能会引发崩溃或拒绝服务漏洞,
黑客可利用该漏洞攻击服务器,导致无法正常提供服务。
升级到 1.1.1g 版本,下载地址为:https://www.openssl.org/source/
需确认机器已安装的软件包中不存在低版本openssl组件,
例如可通过执行rpm -qa | grep openssl查看

看了一下OpenSSL官方的信息,应该是一个会引发拒绝服务效果的漏洞。官方对此的说法是:

OpenSSL Security Advisory [21 April 2020]
 =====================================
Segmentation fault in SSL_check_chain (CVE-2020-1967) 
================================================ 
Severity: High
Server or client applications that call the SSL_check_chain() function 
during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference
as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. 
The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. 
This could be exploited by a malicious peer in a Denial of Service attack. 
OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. 
This issue did not affect OpenSSL versions prior to 1.1.1d. 
Affected OpenSSL 1.1.1 users should upgrade to 1.1.1g 
This issue was found by Bernd Edlinger and reported to OpenSSL on 7th April 2020.
It was found using the new static analysis pass being implemented in GCC, -fanalyzer. 
Additional analysis was performed by Matt Caswell and Benjamin Kaduk. 

Note 
===== 
This issue did not affect OpenSSL 1.0.2 however these versions are out of support 
and no longer receiving public updates. 
Extended support is available for premium support customers: 
https://www.openssl.org/support/contracts.html 
This issue did not affect OpenSSL 1.1.0 however these versions 
are out of support and no longer receiving updates. 
Users of these versions should upgrade to OpenSSL 1.1.1.

这样的话漏洞应该是OpenSSL在检查SSL证书是否正确时,可能会因为某些未经认证的证书使得程序中的空指针导致段错误(Segmentation fault),导致OpenSSL程序崩溃无法使用。官方的说法是1.1.1d之前(即1.1.1c及以前)的版本不受影响。查了一下自家服务器一个是1.1.1c,一个是1.1.1f,所以干脆把两个都升级了。由于Ubuntu没有大版本更新,所以apt是不会直接给我们安装最新的OpenSSL 1.1.1g版本,所以需要手动更新。

更新流程

  1. 下载OpenSSL 1.1.1g的源代码:wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz
  2. 解压源代码:tar -zxf openssl-1.1.1g.tar.gz && cd openssl-1.1.1g
  3. 签发配置文件./config
  4. 配置编译:make
  5. (可以省略但最好不要)编译测试,检查可能的错误:make test
  6. 备份当前OpenSSL的二进制文件:sudo mv /usr/bin/openssl ~/tmp
  7. 编译运行:sudo make install
  8. 创建symbolic link:sudo ln -s /usr/local/bin/openssl /usr/bin/openssl
  9. 重建缓存:sudo ldconfig

这样所有的工作就都完成了,最后检查一下OpenSSL的版本信息是否如所示,运行命令:

openssl version

应该会出现:

OpenSSL 1.1.1g  21 Apr 2020

则更新完成。

发表评论