Fix Google Guest Agent & Linux kernel bypass vulnerabilities for good. This guide provides SUSE commands, a universal automation script, and firewall workarounds. Stop reacting to CVEs—learn to build your own security tools with our recommended book.
One historical note: In late April 2026, SUSE released a critical update (SUSE-SU-2026:21284-1) for the google-guest-agent and the Linux Kernel. The update addressed a nasty authorization bypass (CVE-2024-45337) plus over 170 other vulnerabilities.
But here’s the thing: next month, there will be another CVE. This guide isn't about that one specific date. It’s about giving you the tools to check, patch, and mitigate any similar bypass vulnerability right now, next year, and beyond.
How to Check If You Are Vulnerable (Right Now)
Run these commands on any SUSE Linux Enterprise Server (SLES) 16.0 or SUSE Linux Micro 6.1. They don't rely on a date—they check the actual state of your system.
1. Check your google-guest-agent version
rpm -q google-guest-agent
If your version is older than 20250506.01, you are vulnerable to the bypass.
2. Check your kernel for specific CVEs (e.g., the DoS flaw CVE-2025-39753)
rpm -q kernel-default | grep -q "2025" && echo "Kernel from 2025+ likely patched" || echo "Check manually" # Better yet, scan for a specific CVE: zypper patch --cve=CVE-2025-39753 --dry-run
3. Scan your entire system for all related CVEs
zypper list-patches | grep -E "CVE-2024-45337|CVE-2025-39753"
Automation Script to Apply the Fix for SUSE
This bash script automatically detects your distro, updates the agent, and reloads the kernel modules. This script solves this CVE.
But to learn how to write your own scripts for future CVEs you've never seen, you need the book: Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly.
That book teaches you to build analyzers that catch next week’s zero-day.
Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.).
Universal Fix Script (patch-guest-agent.sh):
#!/bin/bash # Detects distro and applies google-guest-agent + kernel security fixes set -e echo "[+] Checking for google-guest-agent bypass (CVE-2024-45337 style)..." if [ -f /etc/os-release ]; then . /etc/os-release case "$ID" in sles|suse|opensuse-leap) echo "[+] SUSE detected. Applying official patch." sudo zypper --non-interactive update google-guest-agent kernel-default sudo systemctl restart google-guest-agent ;; rhel|centos|fedora) echo "[+] RHEL/CentOS/Fedora detected. Updating via dnf." sudo dnf update google-guest-agent kernel -y sudo systemctl restart google-guest-agent ;; ubuntu|debian) echo "[+] Debian/Ubuntu detected. Updating via apt." sudo apt update && sudo apt install --only-upgrade google-guest-agent linux-image-generic -y sudo systemctl restart google-guest-agent ;; *) echo "[-] Unknown distro. Update manually." exit 1 ;; esac else echo "[-] Cannot detect OS." exit 1 fi echo "[+] Patch applied. A reboot is recommended for the kernel update."
Alternative Mitigation (If You Can’t Update Now)
Can't reboot? Block the bypass at the network or application level.
Option 1: Block unauthorized SSH forwarding via iptables
The SSH bypass (CVE-2024-45337) abuses PublicKeyCallback. Block unexpected forwarding:
sudo iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW -m recent --set sudo iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
Option 2: Restrict Google Guest Agent with AppArmor
/usr/sbin/google_guest_agent {
/usr/sbin/google_guest_agent mr,
/etc/guest-agent/* r,
/run/google-guest-agent/ rw,
deny /root/.ssh/ r,
deny /home/*/.ssh/ r,
}
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.google_guest_agent
GCE_METADATA_SCRIPT_RUNNER=false
Nenhum comentário:
Postar um comentário