/OpenSSH-CVE-2024-6387-Fix

A Bash script to mitigate the CVE-2024-6387 vulnerability in OpenSSH by providing an option to upgrade to a secure version or apply a temporary workaround. This repository helps secure systems against potential remote code execution risks associated with affected OpenSSH versions.

Primary LanguageShellMIT LicenseMIT

CVE-2024-6387 OpenSSH Vulnerability Mitigation Script

Overview

This Bash script is designed to help mitigate the CVE-2024-6387 vulnerability in OpenSSH. The vulnerability affects certain versions of OpenSSH and can potentially allow remote unauthenticated attackers to execute arbitrary code on your system. This script gives you the option to upgrade to a safe version of OpenSSH or apply a temporary fix to reduce the risk of exploitation.

Affected Versions

  • Vulnerable Versions:

    • OpenSSH versions earlier than 4.4p1 are vulnerable unless patched for CVE-2006-5051 and CVE-2008-4109.
    • Versions from 8.5p1 up to, but not including, 9.8p1 are vulnerable due to the reintroduction of a critical issue.

  • Safe Versions:

    • Versions from 4.4p1 to 8.5p1 are not vulnerable due to a patch that was applied in these versions.
    • Versions 9.8p1 and later include the necessary fixes.

Script Features

  • Version Check:

    • The script checks your current OpenSSH version to determine if it is vulnerable.

  • Upgrade Option:

    • If your version is vulnerable, the script prompts you to upgrade OpenSSH to the latest secure version.

  • Temporary Fix:

    • If you choose not to upgrade, the script applies a temporary workaround by modifying the sshd_config file to reduce the attack surface.

  • User Notifications:

    • The script concludes by advising on best practices for securing your SSH service.

Usage

  1. Download and Save the Script:

    • Save the script to your local machine with a name like fix_cve_2024_6387.sh.

  2. Make the Script Executable:

    • Run the following command to make the script executable: 
      chmod +x fix_cve_2024_6387.sh

  3. Run the Script with Root Privileges:

    • Execute the script using sudo to ensure it has the necessary permissions: 
      sudo ./fix_cve_2024_6387.sh

  4. Follow the Prompts:

    • If your OpenSSH version is vulnerable, the script will prompt you to upgrade. You can choose to upgrade or apply the temporary fix.

Important Notes

  • Backup: It is always recommended to backup your SSH configuration files and other important data before running any scripts that modify system settings.

  • Monitoring: After applying the fix or upgrading, monitor your SSH logs for any unusual activity and ensure that your SSH service is restricted to trusted networks.

  • Key-Based Authentication: For enhanced security, use key-based authentication instead of password-based authentication.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Contributing

If you find any issues or have suggestions for improvements, feel free to submit a pull request or open an issue.