openssh-cve-checks/2024-6387/check-ubuntu.yml
2024-07-07 22:58:23 +03:00

97 lines
2.9 KiB
YAML

---
- name: Check OpenSSH server package version and verify CVE-2024-6387 vulnerability
hosts: all
become: yes
gather_facts: yes
vars:
jammy_vulnerable_openssh_versions:
- 1:8.9p1-3ubuntu0.7
- 1:8.9p1-3ubuntu0.6
- 1:8.9p1-3ubuntu0.5
- 1:8.9p1-3ubuntu0.4
- 1:8.9p1-3ubuntu0.3
- 1:8.9p1-3ubuntu0.1
mantic_vulnerable_openssh_versions:
- 1:9.3p1-1ubuntu3.3
- 1:9.3p1-1ubuntu3.2
- 1:9.3p1-1ubuntu3.1
- 1:9.3p1-1ubuntu3
- 1:9.3p1-1ubuntu2
- 1:9.3p1-1ubuntu1
noble_vulnerable_openssh_versions:
- 1:9.6p1-3ubuntu13
- 1:9.6p1-3ubuntu12
- 1:9.6p1-3ubuntu11
- 1:9.6p1-3ubuntu10
- 1:9.6p1-3ubuntu9
- 1:9.6p1-3ubuntu8
- 1:9.6p1-3ubuntu7
- 1:9.6p1-3ubuntu6
- 1:9.6p1-3ubuntu5
- 1:9.6p1-3ubuntu4
- 1:9.6p1-3ubuntu3
- 1:9.6p1-3ubuntu2
- 1:9.6p1-3ubuntu1
# bionic Not vulnerable (introduced in v8.5p1)
# focal Not vulnerable (introduced in v8.5p1)
# jammy Released (1:8.9p1-3ubuntu0.10)
# mantic Released (1:9.3p1-1ubuntu3.6)
# noble Released (1:9.6p1-3ubuntu13.3)
# trusty Not vulnerable (introduced in v8.5p1)
# upstream Pending (9.8p1)
# xenial Not vulnerable (introduced in v8.5p1)
tasks:
- name: "Setting default to not vulnerable"
set_fact:
vulnerable: false
- name: Gather the package facts
ansible.builtin.package_facts:
manager: auto
- name:
set_fact:
openssh_version: "{{ ansible_facts.packages['openssh-server'][0].version }}"
when: "'openssh-server' in ansible_facts.packages"
- name: "Check whether a package is installed"
debug:
msg: "{{ ansible_facts.packages['openssh-server'][0].version }}"
when: "'openssh-server' in ansible_facts.packages"
- name: "Check distribution"
debug:
msg: "{{ ansible_distribution }} {{ ansible_distribution_release }} {{ ansible_distribution_version }}"
- name: "Package is vulnerable"
debug:
msg: "The server openssh version is vulnerable to CVE-2024-6387!!!"
when:
- ansible_distribution in ['Ubuntu'] # Check for Ubuntu or Debian
- ansible_distribution_release == 'bionic'
- openssh_version in bionic_vulnerable_openssh_versions
- name: "Package is vulnerable"
set_fact:
vulnerable: true
when:
- ansible_distribution in ['Ubuntu'] # Check for Ubuntu or Debian
- ansible_distribution_release == 'jammy'
- openssh_version in jammy_vulnerable_openssh_versions
- name: "Package is vulnerable"
set_fact:
vulnerable: true
when:
- ansible_distribution in ['Ubuntu'] # Check for Ubuntu or Debian
- ansible_distribution_release == 'mantic'
- openssh_version in matic_vulnerable_openssh_versions
- fail:
msg: "The server openssh version is vulnerable to CVE-2024-6387!!!"
when: vulnerable