Skip to content

Latest commit

 

History

History
65 lines (48 loc) · 2.34 KB

README.md

File metadata and controls

65 lines (48 loc) · 2.34 KB
Raw

CVE-2024-6387 Checker

This README provides instructions for using the script to check if your OpenSSH installation is vulnerable to CVE-2024-6387. The script inspects the installed sshd binaries on your system, determines their versions, and checks for vulnerability status based on the detected version.

Requirements

  • Unix-like operating system (Linux, macOS, etc.)
  • awk, grep, sed, strings, and cut utilities available in your shell environment

Script Overview

The script performs the following steps:

  1. Identifies all instances of sshd using the type -a sshd command.
  2. Extracts the version string from each sshd binary.
  3. Parses the version string to determine the major and minor version numbers.
  4. Checks the parsed version against known vulnerable and non-vulnerable versions of OpenSSH.
  5. Outputs the version and vulnerability status for each sshd binary.

Usage

  1. Copy the script into a file, e.g., check_cve_2024_6387.sh.

  2. Give the script execute permissions:

    chmod +x check_cve_2024_6387.sh

  3. Run the script:

    ./check_cve_2024_6387.sh
#!/bin/bash

for each_entry in $(type -a sshd | awk '{print $NF}' | uniq); do
  version_string=$(strings "$each_entry" | grep -o "OpenSSH_[0-9]\+\.[0-9]\+p[0-9]\+" | uniq)
  if [ -n "$version_string" ]; then
    version=$(echo "$version_string" | sed -E 's/OpenSSH_([0-9]+\.[0-9]+)p[0-9]+/\1/')
    major_version=$(echo $version | cut -d '.' -f 1)
    minor_version=$(echo $version | cut -d '.' -f 2)
    
    if [ "$major_version" -lt 4 ] || ([ "$major_version" -eq 4 ] && [ "$minor_version" -lt 4 ]); then
      status="YES (Unless patched for CVE-2006-5051 and CVE-2008-4109)"
    elif ([ "$major_version" -eq 4 ] && [ "$minor_version" -ge 4 ]) || ([ "$major_version" -ge 5 ] && [ "$major_version" -lt 8 ]) || ([ "$major_version" -eq 8 ] && [ "$minor_version" -lt 5 ]); then
      status="NO"
    elif ([ "$major_version" -eq 8 ] && [ "$minor_version" -ge 5 ]) || ([ "$major_version" -eq 9 ] && [ "$minor_version" -le 7 ]); then
      status="YES"
    else
      status="Unknown"
    fi

    echo "Found OpenSSH version: $version in $each_entry"
    echo "Vulnerability Status: $status"
    if [ "$status" == "YES" ]; then
      echo "Patch Immediately to OpenSSH 9.8/9.8p1"
    fi
  else
    echo "No match found for $each_entry"
  fi
done