Linux TCP漏洞 CVE-2019-11477 CentOS7 修复方法

CVE-2019-11477漏洞简单介绍 https://cert.360.cn/warning/detail?id=27d0c6b825c75d8486c446556b9c9b68
RedHat用户可以使用以下脚本来检查系统是否存在漏洞 https://access.redhat.com/sites/default/files/cve-2019-11477--2019-06-17-1629.sh
AWS CVE-2019-11477漏洞解决方案文档 https://amazonaws-china.com/cn/security/security-bulletins/AWS-2019-005/?from=groupmessage
阿里云解决方案文档 https://help.aliyun.com/noticelist/articleid/1060012493.html?spm=a2c4g.789004748.n2.7.15386141GM8Eyl

Linux TCP漏洞 CVE-2019-11477 CentOS7 修复方法 https://www.cnblogs.com/wzstudy/p/11058328.html

1 直接升级内核修复(需重启机器)

#下载漏洞检测脚本
#[root@CentOS7 ~]# wget https://access.redhat.com/sites/default/files/cve-2019-11477--2019-06-17-1629.sh

#[root@CentOS7 ~]# ll
总用量 36
-rw-------. 1 root root  1608 3月  19 09:44 anaconda-ks.cfg
-rw-r--r--  1 root root 28701 6月  18 01:00 cve-2019-11477--2019-06-17-1629.sh

#查看当前内核
[root@CentOS7 ~]# rpm -qa|grep kernel
kernel-3.10.0-957.5.1.el7.x86_64
kernel-headers-3.10.0-957.5.1.el7.x86_64
kernel-devel-3.10.0-957.el7.x86_64
kernel-devel-3.10.0-957.5.1.el7.x86_64
kernel-tools-libs-3.10.0-957.5.1.el7.x86_64
kernel-tools-3.10.0-957.5.1.el7.x86_64
abrt-addon-kerneloops-2.1.11-52.el7.centos.x86_64
kernel-3.10.0-957.el7.x86_64

#执行脚本查看当前漏洞情况
#[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh

This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Running kernel: 3.10.0-957.5.1.el7.x86_64

This system is Vulnerable

* Running kernel is vulnerable

For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack

#更新内核
#[root@CentOS7 ~]# yum update kernel
#[root@CentOS7 ~]# rpm -qa|grep kernel
kernel-3.10.0-957.5.1.el7.x86_64
kernel-3.10.0-957.21.3.el7.x86_64
kernel-headers-3.10.0-957.5.1.el7.x86_64
kernel-devel-3.10.0-957.el7.x86_64
kernel-devel-3.10.0-957.5.1.el7.x86_64
kernel-tools-libs-3.10.0-957.5.1.el7.x86_64
kernel-tools-3.10.0-957.5.1.el7.x86_64
abrt-addon-kerneloops-2.1.11-52.el7.centos.x86_64
kernel-3.10.0-957.el7.x86_64

#升级内核后，再次执行检查情况
#[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh

This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Running kernel: 3.10.0-957.5.1.el7.x86_64

This system is Vulnerable

* Running kernel is vulnerable

For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack


#重启机器生效
#[root@CentOS7 ~]# reboot

#重启后检查漏洞情况，当前系统不受影响
#[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh

This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Running kernel: 3.10.0-957.21.3.el7.x86_64

This system is Not affected


For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack

2 修改内核参数修复(临时方法，不用重启机器)

#[root@CentOS7 ~]# wget https://access.redhat.com/sites/default/files/cve-2019-11477--2019-06-17-1629.sh

#检查当前漏洞情况，当前系统脆弱
[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh

This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Running kernel: 3.10.0-957.5.1.el7.x86_64

This system is Vulnerable

* Running kernel is vulnerable

For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack

#修改内核参数
[root@CentOS7 ~]# echo 0 > /proc/sys/net/ipv4/tcp_sack

#检查当前漏洞情况
[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh

This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Running kernel: 3.10.0-957.5.1.el7.x86_64

This system is Mitigated

* Running kernel is vulnerable
* sysctl mitigation is applied

For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack

#重启后失效，仅建议临时使用，或写进sysctl.conf配置文件内

3 建议

可以先采用临时方法修改内核参数，当前生效。
然后把内核升级，等可以重启的时候自动就生效了