Updated version of the check

2024-07-07 23:09:37 +03:00 · 2024-07-07 23:09:37 +03:00 · ca0f6e4fd0
commit ca0f6e4fd0
parent a9ce0c5dd7
1 changed files with 27 additions and 4 deletions
--- a/2024-6387/check.yml
+++ b/2024-6387/check.yml
@ -38,11 +38,30 @@
    - debug:
        msg: "{{ openssh_version }}"

-    - name: Check if OpenSSH version is affected by CVE-2024-6387
+    - name: "Parse OpenSSH server version"
+      set_fact:
+        openssh_version_number: "{% set ver_num = openssh_version.split('p')[0] | int %}"
+
+    - debug:
+        msg: "{{ openssh_version_number }}"
+
+    - name: "Parse OpenSSH server version"
+      set_fact:
+        openssh_version_suffix: "{% set ver_suffix = openssh_version.split('p')[1] | int %}"
+      when: openssh_version | regex_search('p\d+$')
+
+    - name: "Some task that defines openssh_version_suffix (if needed)"
+      set_fact:
+        openssh_version_suffix: "p0"
+      when: openssh_version_suffix is undefined
+
+    - debug:
+        msg: "{{ openssh_version_suffix }}"
+
+    - name: "Check if OpenSSH version is affected by CVE-2024-6387"
      set_fact:
        is_vulnerable: >
          {% set ver_num = openssh_version.split('p')[0] | int %}
-          {% set ver_suffix = openssh_version.split('p')[1] | int %}
          {% if openssh_version in affected_versions or
                  (ver_num < min_safe_version.split('p')[0] | int) or
                  (ver_num == min_safe_version.split('p')[0] | int and ver_suffix < min_safe_version.split('p')[1] | int) %}
@ -55,3 +74,7 @@
      debug:
        msg: >
          OpenSSH version {{ openssh_version }} is {% if is_vulnerable %} ## vulnerable ## {% else %} not vulnerable {% endif %} to CVE-2024-6387.
+
+    - fail: 
+        msg: "The server openssh version is vulnerable to CVE-2024-6387!!!"
+      when: is_vulnerable