--- - name: Check OpenSSH server package version and verify CVE-2024-6387 vulnerability hosts: all become: yes gather_facts: yes vars: affected_versions: - "8.5p1" - "8.6p1" - "8.7p1" - "8.8p1" - "8.9p1" - "9.0p1" - "9.1p1" - "9.2p1" - "9.3p1" - "9.4p1" - "9.5p1" - "9.6p1" - "9.7p1" min_safe_version: "4.4p1" max_safe_version: "8.4p1" tasks: - name: Check OpenSSH server version shell: sshd -V 2>&1 | grep 'OpenSSH' | awk '{print $1 " " $2}' register: openssh_version_output changed_when: false - debug: msg: "{{ openssh_version_output.stdout }}" - name: "Parse OpenSSH server version" set_fact: openssh_version: "{{ openssh_version_output.stdout.split()[0].split('_')[1] }}" - debug: msg: "{{ openssh_version }}" - name: "Parse OpenSSH server version" set_fact: openssh_version_number: "{% set ver_num = openssh_version.split('p')[0] | int %}" - debug: msg: "{{ openssh_version_number }}" - name: "Parse OpenSSH server version" set_fact: openssh_version_suffix: "{% set ver_suffix = openssh_version.split('p')[1] | int %}" when: openssh_version | regex_search('p\d+$') - name: "Some task that defines openssh_version_suffix (if needed)" set_fact: openssh_version_suffix: "p0" when: openssh_version_suffix is undefined - debug: msg: "{{ openssh_version_suffix }}" - name: "Check if OpenSSH version is affected by CVE-2024-6387" set_fact: is_vulnerable: > {% set ver_num = openssh_version.split('p')[0] | int %} {% if openssh_version in affected_versions or (ver_num < min_safe_version.split('p')[0] | int) or (ver_num == min_safe_version.split('p')[0] | int and ver_suffix < min_safe_version.split('p')[1] | int) %} true {% else %} false {% endif %} - name: Report OpenSSH version and CVE status debug: msg: > OpenSSH version {{ openssh_version }} is {% if is_vulnerable %} ## vulnerable ## {% else %} not vulnerable {% endif %} to CVE-2024-6387. - fail: msg: "The server openssh version is vulnerable to CVE-2024-6387!!!" when: is_vulnerable