来源

关联漏洞

描述

An Ansible Playbook to mitigate the risk of RCE (CVE-2024-6387) until platforms update OpenSSH to a non-vulnerable version.

介绍

# CVE-2024-6387 Mitigation Ansible Playbook

An Ansible Playbook to mitigate the risk of the regreSSHion RCE (CVE-2024-6387) vulnerability until platforms update OpenSSH to a non-vulnerable version.

The mitigation applied here is based on the [Mitigation Advice provided by Red Hat](https://access.redhat.com/security/cve/cve-2024-6387).
As noted there:

> Notice the sshd server will still be vulnerable to Denial of Service attacks due to there
> possibility os MaxStartups connection exhaustion, however it'll be safe against possible remote code execution attacks.

You should keep this in mind before applying the mitigation.

# Pre-requisites

- Ansible
- Linux server with OpenSSH Server installed

# Assumptions

- You have a drop-in configuration directory at: `/etc/ssh/sshd_config.d/`
- You are affected by CVE-2024-6387 - see affected package versions [here](https://www.qualys.com/regresshion-cve-2024-6387/).
- `ansible` user set up on target server(s) with sufficient permissions to write in `/etc/ssh/sshd_config.d/`.
  Here, `sudo` permissions are assumed for best compatibility (though this is not necessarily the best approach).

The playbook also includes an alternative step (to replace the drop-in one) which
could be used to apply this patch in-place i.e. in the `/etc/ssh/sshd_config` file itself.

# Usage

```
ansible-playbook ./apply_mitigation.yaml --limit <your host group>
```

# Disclaimer

This Ansible playbook is provided AS IS WITHOUT WARRANTY and WITHOUT ANY LIABILITY.
If you break your SSHd configuration, servers or anything else, I take no responsibility.

Just sharing this to help others.

文件快照

 [4.0K]  /data/pocs/c9d9db31d0cbabe21e617b67d00ae0323f3b4504
├── [1.2K]  apply_mitigation.yaml
├── [ 34K]  LICENSE
└── [1.6K]  README.md

0 directories, 3 files

备注