关联漏洞
描述
Ansible playbook for patching CVE-2024-3094
介绍
# Ansible Playbook for Patching xz-Utils Vulnerability (CVE-2024-3094)
- This document details an Ansible playbook designed to address the critical vulnerability (CVE-2024-3094) identified in xz-Utils versions 5.6.0 and 5.6.1. This vulnerability, classified as a backdoor, grants attackers unauthorized access to affected systems by bypassing SSH authentication.
## Context: xz-Utils Vulnerability (CVE-2024-3094)
- A critical backdoor vulnerability was discovered in xz-Utils versions 5.6.0 and 5.6.1 on March 29, 2024. This vulnerability allows attackers to bypass SSH authentication and gain unauthorized access to affected systems. It is crucial to patch vulnerable systems immediately to mitigate potential security risks.
## Ansible Playbook for Patching
- The provided Ansible playbook addresses this vulnerability by:
1. Gathering Package Facts: The package_facts module gathers information about installed packages, including their versions.
2. Version Check: A debug module extracts the base version of the xz-utils package from the gathered facts.
3. Patching Vulnerable Systems: The package module installs a known-safe version (safe_version) of xz-utils if the system's current version matches the vulnerable versions (5.6.0 or 5.6.1).
## Playbook Structure:
- The playbook consists of three main YAML files:
1. tasks/main.yaml: This file defines the core tasks of the playbook.
- It gathers package facts using package_facts.
- It checks the extracted base version using a debug module.
- It conditionally installs a safe version (safe_version) using package if the system has a vulnerable version.
```yaml
---
- name: Gather package facts
ansible.builtin.package_facts:
manager: auto
register: package_facts
- name: Print the current version of {{ package_name }}
ansible.builtin.debug:
var: package_facts.ansible_facts.packages['{{ package_name }}'][0].version.split('-')[0]
register: version_check
- name: Install safe version of {{ package_name }}
ansible.builtin.package:
name: '{{ package_name }}={{ safe_version }}'
state: present
when: version_check=={{non_safe_version1}} or version_check=={{non_safe_version2}}
```
2. defaults/main.yaml: This file defines default variables used throughout the playbook.
- package_name: Name of the package to be patched (set to xz-utils).
- non_safe_version1: First vulnerable version (set to 5.6.0).
- non_safe_version2: Second vulnerable version (set to 5.6.1).
- safe_version: Known-safe version to install (set to 5.4.6).
```yaml
---
package_name: xz-utils
non_safe_version1: 5.6.0
non_safe_version2: 5.6.1
safe_version: 5.4.6
```
3. playbook.yaml: This file defines the overall execution flow.
- It targets a host group named machines.
- It includes the xz-utils_checkout role, which likely contains tasks specific to handling the xz-utils package update (not provided here).
```yaml
---
- name: patch xz-utils
hosts: machines
roles:
- xz_utils_patch
```
- By following these steps and deploying this playbook, you can effectively patch the critical xz-Utils vulnerability and secure your systems from potential unauthorized access.
文件快照
[4.0K] /data/pocs/a6dfc3a28f80d71e1c6a475c4d689f4829f828f0
├── [ 78] inventory.ini
├── [ 76] playbook.yaml
├── [3.3K] README.md
└── [4.0K] roles
└── [4.0K] xz_utils_patch
├── [4.0K] defaults
│ └── [ 141] main.yml
├── [4.0K] meta
│ └── [1.5K] main.yml
└── [4.0K] tasks
└── [ 507] main.yml
5 directories, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。