统信UOS（统信服务器操作系统debian）修复CVE高危漏洞

前言

针对某托管平台分配的4台虚拟服务器，操作系统统信UOS（debian）服务器发现高危漏洞 并修复。

OpenSSH 命令注入漏洞(CVE-2020-15778) / OpenSSH 安全漏洞(CVE-2021-41617) /  OpenSSH 输入验证错误漏洞(CVE-2019-16905) 的修复办法。

 图1

 将离线补丁包上传到服务器，运行 dpkg -i  包名.deb 依次安装补丁包，安装顺序为client，sftp，server 。

资源包：https://download.csdn.net/download/AirIT/87881104

开源镜像站下载地址: debian安装包下载_开源镜像站-阿里云

仓库名：debian

发行版：buster        适用于debian10

架构：arm64

相关仓库

• Debian安装源（debian-cd）：debian-cd镜像_debian-cd下载地址_debian-cd安装教程-阿里巴巴开源镜像站
• Debian安全更新源（debian-security）：debian-security镜像_debian-security下载地址_debian-security安装教程-阿里巴巴开源镜像站
• Debian第三方多媒体软件源（debian-multimedia）：debian-multimedia镜像_debian-multimedia下载地址_debian-multimedia安装教程-阿里巴巴开源镜像站
• Debian预发软件源（debian-backports）：debian-backports镜像_debian-backports下载地址_debian-backports安装教程-阿里巴巴开源镜像站
• Debian其他架构移植源（debian-ports）：debian-ports镜像_debian-ports下载地址_debian-ports安装教程-阿里巴巴开源镜像站
• Debian过期源（debian-archive)：debian-archive镜像_debian-archive下载地址_debian-archive安装教程-阿里巴巴开源镜像站

root# cat /etc/debian_version
10.3
root# uname -a
Linux 4.19.0-arm64-server #3211 SMP Thu Apr 15 10:21:53 CST 2021 aarch64 GNU/Linux


root# cat /etc/apt/sources.list    //debian10版本镜像源如下
deb https://mirrors.aliyun.com/debian/ buster main non-free contrib
deb-src https://mirrors.aliyun.com/debian/ buster main non-free contrib
deb https://mirrors.aliyun.com/debian-security buster/updates main
deb-src https://mirrors.aliyun.com/debian-security buster/updates main
deb https://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
deb-src https://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
deb https://mirrors.aliyun.com/debian/ buster-backports main non-free contrib
deb-src https://mirrors.aliyun.com/debian/ buster-backports main non-free contrib

root@V01:~/data/Patch-20230608# dpkg -i openssh-client_7.9p1.10-deepin1_arm64.deb
(Reading database ... 156351 files and directories currently installed.)
Preparing to unpack openssh-client_7.9p1.10-deepin1_arm64.deb ...
Unpacking openssh-client (1:7.9p1.10-deepin1) over (1:7.9p1.1-1+dde) ...
Setting up openssh-client (1:7.9p1.10-deepin1) ...
Processing triggers for man-db (2.8.5-2) ...


root@V01:~/data/Patch-20230608# dpkg -i openssh-sftp-server_7.9p1.10-deepin1_arm64.deb
(Reading database ... 156351 files and directories currently installed.)
Preparing to unpack openssh-sftp-server_7.9p1.10-deepin1_arm64.deb ...
Unpacking openssh-sftp-server (1:7.9p1.10-deepin1) over (1:7.9p1.10-deepin1) ...
Setting up openssh-sftp-server (1:7.9p1.10-deepin1) ...
Processing triggers for man-db (2.8.5-2) ...


root@V01:~/data/Patch-20230608# dpkg -i openssh-server_7.9p1.10-deepin1_arm64.deb
(Reading database ... 156351 files and directories currently installed.)
Preparing to unpack openssh-server_7.9p1.10-deepin1_arm64.deb ...
Unpacking openssh-server (1:7.9p1.10-deepin1) over (1:7.9p1.1-1+dde) ...
Setting up openssh-server (1:7.9p1.10-deepin1) ...

在安装server包时，这里配置文件会提示如下，选择第二个保持当前安装的本地版本。

图2 

全部安装完毕后，重新再对四台服务器进行漏扫，发现高、中危漏洞都已修复。

图3 

验证服务器漏洞修复状态

apt-get changelog openssh-server  | grep  CVE

图4 

关于升级到修复版本后，漏洞再次扫描出漏洞信息，是因为扫描方法的原因，即通过公开的漏洞信息描述判断，而同一个漏洞在不同的linux或不同的操作系统中的情况可能不一样，各个操作系统亦有各自的维护策略，而不能单一地通过公开的漏洞信息描述去判断，因此通过启用服务器的ufw防火墙，限制端口的形式来做策略即可实现修复漏洞。

sudo ufw allow 111/tcp
sudo ufw allow 6888/tcp
sudo ufw allow 2049/tcp
sudo ufw allow 54321/tcp

ufw allow from *.*.26.221 to any port 22
ufw allow from *.*.27.116 to any port 22
ufw allow from *.*.27.61 to any port 22
ufw allow from *.*.29.82 to any port 22
ufw allow from *.*.29.61 to any port 22
ufw allow from 192.168.21.11 to any port 22
ufw allow from 192.168.21.7 to any port 22
ufw allow from 192.168.21.17 to any port 22
ufw allow from 192.168.21.14 to any port 22
ufw deny 22/tcp
sudo ufw enable
sudo ufw status

删除ufw 钟 22 any策略如下（记得提前先放行允许访问的IP）：

root:/# sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere
[ 2] 6888                       ALLOW IN    192.168.21.0/24
[ 3] 6888                       ALLOW IN    *.*.29.0/24
[ 4] 6888                       ALLOW IN    *.*.27.0/24
[ 5] 111/tcp                    ALLOW IN    Anywhere
[ 6] 6888/tcp                   ALLOW IN    Anywhere
[ 7] 2049/tcp                   ALLOW IN    Anywhere
[ 8] 54321/tcp                  ALLOW IN    Anywhere
[ 9] 22                         ALLOW IN    *.*.26.220
[10] 22                         ALLOW IN    *.*.26.221
[11] 22                         ALLOW IN    *.*.26.222
[12] 22                         ALLOW IN    *.*.26.220
[13] 22                         ALLOW IN    *.*.26.221
[14] 22                         ALLOW IN    *.*.26.222
[15] 22                         ALLOW IN    *.*.27.116
[16] 22                         ALLOW IN    *.*.27.61
[17] 22                         ALLOW IN    *.*.29.82
[18] 22                         ALLOW IN    *.*.29.61
[19] 22                         ALLOW IN    192.168.21.11
[20] 22                         ALLOW IN    192.168.21.7
[21] 22                         ALLOW IN    192.168.21.17
[22] 22                         ALLOW IN    192.168.21.14
[23] 22/tcp                     DENY IN     Anywhere
[24] 22 (v6)                    ALLOW IN    Anywhere (v6)
[25] 111/tcp (v6)               ALLOW IN    Anywhere (v6)
[26] 6888/tcp (v6)              ALLOW IN    Anywhere (v6)
[27] 2049/tcp (v6)              ALLOW IN    Anywhere (v6)
[28] 54321/tcp (v6)             ALLOW IN    Anywhere (v6)
[29] 22/tcp (v6)                DENY IN     Anywhere (v6)

root:/# sudo ufw delete 1
Deleting:
 allow 22
Proceed with operation (y|n)? y
Rule deleted
root:/#

附：最新漏扫图

图5

附件：统信UOS（debian）telnet离线包

https://download.csdn.net/download/AirIT/88059637