NgTech-LTD/openssh-cve-checks
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
openssh-cve-checks/2024-6387/check.yml
Eliezer Croitoru ca0f6e4fd0 Updated version of the check
2024-07-07 23:09:37 +03:00

81 lines
2.3 KiB
YAML
Raw Permalink Blame History

---
- name: Check OpenSSH server package version and verify CVE-2024-6387 vulnerability
hosts: all
become: yes
gather_facts: yes
vars:
affected_versions:
- "8.5p1"
- "8.6p1"
- "8.7p1"
- "8.8p1"
- "8.9p1"
- "9.0p1"
- "9.1p1"
- "9.2p1"
- "9.3p1"
- "9.4p1"
- "9.5p1"
- "9.6p1"
- "9.7p1"
min_safe_version: "4.4p1"
max_safe_version: "8.4p1"
tasks:
- name: Check OpenSSH server version
shell: sshd -V 2>&1 | grep 'OpenSSH' | awk '{print $1 " " $2}'
register: openssh_version_output
changed_when: false
- debug:
msg: "{{ openssh_version_output.stdout }}"
- name: "Parse OpenSSH server version"
set_fact:
openssh_version: "{{ openssh_version_output.stdout.split()[0].split('_')[1] }}"
- debug:
msg: "{{ openssh_version }}"
- name: "Parse OpenSSH server version"
set_fact:
openssh_version_number: "{% set ver_num = openssh_version.split('p')[0] | int %}"
- debug:
msg: "{{ openssh_version_number }}"
- name: "Parse OpenSSH server version"
set_fact:
openssh_version_suffix: "{% set ver_suffix = openssh_version.split('p')[1] | int %}"
when: openssh_version | regex_search('p\d+$')
- name: "Some task that defines openssh_version_suffix (if needed)"
set_fact:
openssh_version_suffix: "p0"
when: openssh_version_suffix is undefined
- debug:
msg: "{{ openssh_version_suffix }}"
- name: "Check if OpenSSH version is affected by CVE-2024-6387"
set_fact:
is_vulnerable: >
{% set ver_num = openssh_version.split('p')[0] | int %}
{% if openssh_version in affected_versions or
(ver_num < min_safe_version.split('p')[0] | int) or
(ver_num == min_safe_version.split('p')[0] | int and ver_suffix < min_safe_version.split('p')[1] | int) %}
true
{% else %}
false
{% endif %}
- name: Report OpenSSH version and CVE status
debug:
msg: >
OpenSSH version {{ openssh_version }} is {% if is_vulnerable %} ## vulnerable ## {% else %} not vulnerable {% endif %} to CVE-2024-6387.
- fail:
msg: "The server openssh version is vulnerable to CVE-2024-6387!!!"
when: is_vulnerable
Reference in New Issue View Git Blame Copy Permalink