1

2024-07-04 21:12:19 +03:00 · 2024-07-04 21:12:19 +03:00 · e08b947761
commit e08b947761
1 changed files with 57 additions and 0 deletions
--- a/2024-6387/check.yml
+++ b/2024-6387/check.yml
@ -0,0 +1,57 @@
+---
+- name: Check OpenSSH server package version and verify CVE-2024-6387 vulnerability
+  hosts: all
+  become: yes
+  gather_facts: yes
+
+  vars:
+    affected_versions:
+      - "8.5p1"
+      - "8.6p1"
+      - "8.7p1"
+      - "8.8p1"
+      - "8.9p1"
+      - "9.0p1"
+      - "9.1p1"
+      - "9.2p1"
+      - "9.3p1"
+      - "9.4p1"
+      - "9.5p1"
+      - "9.6p1"
+      - "9.7p1"
+    min_safe_version: "4.4p1"
+    max_safe_version: "8.4p1"
+
+  tasks:
+    - name: Check OpenSSH server version
+      shell: sshd -V 2>&1 | grep 'OpenSSH' | awk '{print $1 " " $2}'
+      register: openssh_version_output
+      changed_when: false
+
+    - name: Parse OpenSSH server version
+      set_fact:
+        openssh_version: "{{ openssh_version_output.stdout.split()[1].split('_')[1] }}"
+
+    - name: Check if OpenSSH version is affected by CVE-2024-6387
+      set_fact:
+        is_vulnerable: >
+          {% set ver_num = openssh_version.split('p')[0] | int %}
+          {% set ver_suffix = openssh_version.split('p')[1] | int %}
+          {% if openssh_version in affected_versions or
+                (ver_num < min_safe_version.split('p')[0] | int) or
+                (ver_num == min_safe_version.split('p')[0] | int and ver_suffix < min_safe_version.split('p')[1] | int) %}
+            true
+          {% else %}
+            false
+          {% endif %}
+
+    - name: Report OpenSSH version and CVE status
+      debug:
+        msg: >
+          OpenSSH version {{ openssh_version }} is 
+          {% if is_vulnerable %} 
+            vulnerable 
+          {% else %} 
+            not vulnerable 
+          {% endif %} to CVE-2024-6387.
+