openssh-cve-checks/2024-6387/check-ubuntu.yml

---
- name: Check OpenSSH server package version and verify CVE-2024-6387 vulnerability
  hosts: all
  become: yes
  gather_facts: yes
  vars:
    jammy_vulnerable_openssh_versions:
      - 1:8.9p1-3ubuntu0.7
      - 1:8.9p1-3ubuntu0.6
      - 1:8.9p1-3ubuntu0.5
      - 1:8.9p1-3ubuntu0.4
      - 1:8.9p1-3ubuntu0.3
      - 1:8.9p1-3ubuntu0.1
    mantic_vulnerable_openssh_versions:
      - 1:9.3p1-1ubuntu3.3
      - 1:9.3p1-1ubuntu3.2
      - 1:9.3p1-1ubuntu3.1
      - 1:9.3p1-1ubuntu3
      - 1:9.3p1-1ubuntu2
      - 1:9.3p1-1ubuntu1
    noble_vulnerable_openssh_versions:
      - 1:9.6p1-3ubuntu13
      - 1:9.6p1-3ubuntu12
      - 1:9.6p1-3ubuntu11
      - 1:9.6p1-3ubuntu10
      - 1:9.6p1-3ubuntu9
      - 1:9.6p1-3ubuntu8
      - 1:9.6p1-3ubuntu7
      - 1:9.6p1-3ubuntu6
      - 1:9.6p1-3ubuntu5
      - 1:9.6p1-3ubuntu4
      - 1:9.6p1-3ubuntu3
      - 1:9.6p1-3ubuntu2
      - 1:9.6p1-3ubuntu1

# bionic	Not vulnerable (introduced in v8.5p1)
# focal	Not vulnerable (introduced in v8.5p1)
# jammy	Released (1:8.9p1-3ubuntu0.10)
# mantic	Released (1:9.3p1-1ubuntu3.6)
# noble	Released (1:9.6p1-3ubuntu13.3)
# trusty	Not vulnerable (introduced in v8.5p1)
# upstream	Pending (9.8p1)
# xenial	Not vulnerable (introduced in v8.5p1)

  tasks:
    - name: "Setting default to not vulnerable"
      set_fact:
        vulnerable: false

    - name: Gather the package facts
      ansible.builtin.package_facts:
        manager: auto

    - name:
      set_fact:
        openssh_version: "{{ ansible_facts.packages['openssh-server'][0].version }}"
      when: "'openssh-server' in ansible_facts.packages"

    - name: "Check whether a package is installed"
      debug:
        msg: "{{ ansible_facts.packages['openssh-server'][0].version }}"
      when: "'openssh-server' in ansible_facts.packages"


    - name: "Check distribution"
      debug:
        msg: "{{ ansible_distribution }} {{ ansible_distribution_release }} {{ ansible_distribution_version }}"

    - name: "Package is vulnerable"
      debug:
        msg: "The server openssh version is vulnerable to CVE-2024-6387!!!"
      when: 
        - ansible_distribution in ['Ubuntu']  # Check for Ubuntu or Debian
        - ansible_distribution_release == 'bionic'
        - openssh_version in bionic_vulnerable_openssh_versions

    - name: "Package is vulnerable"
      set_fact:
        vulnerable: true
      when: 
        - ansible_distribution in ['Ubuntu']  # Check for Ubuntu or Debian
        - ansible_distribution_release == 'jammy'
        - openssh_version in jammy_vulnerable_openssh_versions

    - name: "Package is vulnerable"
      set_fact:
        vulnerable: true
      when: 
        - ansible_distribution in ['Ubuntu']  # Check for Ubuntu or Debian
        - ansible_distribution_release == 'mantic'
        - openssh_version in matic_vulnerable_openssh_versions

    - fail: 
        msg: "The server openssh version is vulnerable to CVE-2024-6387!!!"
      when: vulnerable
Added ubuntu test 2024-07-07 22:58:23 +03:00			`---`
			`- name: Check OpenSSH server package version and verify CVE-2024-6387 vulnerability`
			`hosts: all`
			`become: yes`
			`gather_facts: yes`
			`vars:`
			`jammy_vulnerable_openssh_versions:`
			`- 1:8.9p1-3ubuntu0.7`
			`- 1:8.9p1-3ubuntu0.6`
			`- 1:8.9p1-3ubuntu0.5`
			`- 1:8.9p1-3ubuntu0.4`
			`- 1:8.9p1-3ubuntu0.3`
			`- 1:8.9p1-3ubuntu0.1`
			`mantic_vulnerable_openssh_versions:`
			`- 1:9.3p1-1ubuntu3.3`
			`- 1:9.3p1-1ubuntu3.2`
			`- 1:9.3p1-1ubuntu3.1`
			`- 1:9.3p1-1ubuntu3`
			`- 1:9.3p1-1ubuntu2`
			`- 1:9.3p1-1ubuntu1`
			`noble_vulnerable_openssh_versions:`
			`- 1:9.6p1-3ubuntu13`
			`- 1:9.6p1-3ubuntu12`
			`- 1:9.6p1-3ubuntu11`
			`- 1:9.6p1-3ubuntu10`
			`- 1:9.6p1-3ubuntu9`
			`- 1:9.6p1-3ubuntu8`
			`- 1:9.6p1-3ubuntu7`
			`- 1:9.6p1-3ubuntu6`
			`- 1:9.6p1-3ubuntu5`
			`- 1:9.6p1-3ubuntu4`
			`- 1:9.6p1-3ubuntu3`
			`- 1:9.6p1-3ubuntu2`
			`- 1:9.6p1-3ubuntu1`

			`# bionic Not vulnerable (introduced in v8.5p1)`
			`# focal Not vulnerable (introduced in v8.5p1)`
			`# jammy Released (1:8.9p1-3ubuntu0.10)`
			`# mantic Released (1:9.3p1-1ubuntu3.6)`
			`# noble Released (1:9.6p1-3ubuntu13.3)`
			`# trusty Not vulnerable (introduced in v8.5p1)`
			`# upstream Pending (9.8p1)`
			`# xenial Not vulnerable (introduced in v8.5p1)`

			`tasks:`
			`- name: "Setting default to not vulnerable"`
			`set_fact:`
			`vulnerable: false`

			`- name: Gather the package facts`
			`ansible.builtin.package_facts:`
			`manager: auto`

			`- name:`
			`set_fact:`
			`openssh_version: "{{ ansible_facts.packages['openssh-server'][0].version }}"`
			`when: "'openssh-server' in ansible_facts.packages"`

			`- name: "Check whether a package is installed"`
			`debug:`
			`msg: "{{ ansible_facts.packages['openssh-server'][0].version }}"`
			`when: "'openssh-server' in ansible_facts.packages"`


			`- name: "Check distribution"`
			`debug:`
			`msg: "{{ ansible_distribution }} {{ ansible_distribution_release }} {{ ansible_distribution_version }}"`

			`- name: "Package is vulnerable"`
			`debug:`
			`msg: "The server openssh version is vulnerable to CVE-2024-6387!!!"`
			`when:`
			`- ansible_distribution in ['Ubuntu'] # Check for Ubuntu or Debian`
			`- ansible_distribution_release == 'bionic'`
			`- openssh_version in bionic_vulnerable_openssh_versions`

			`- name: "Package is vulnerable"`
			`set_fact:`
			`vulnerable: true`
			`when:`
			`- ansible_distribution in ['Ubuntu'] # Check for Ubuntu or Debian`
			`- ansible_distribution_release == 'jammy'`
			`- openssh_version in jammy_vulnerable_openssh_versions`

			`- name: "Package is vulnerable"`
			`set_fact:`
			`vulnerable: true`
			`when:`
			`- ansible_distribution in ['Ubuntu'] # Check for Ubuntu or Debian`
			`- ansible_distribution_release == 'mantic'`
			`- openssh_version in matic_vulnerable_openssh_versions`

			`- fail:`
			`msg: "The server openssh version is vulnerable to CVE-2024-6387!!!"`
			`when: vulnerable`