An Ansible Playbook to mitigate the risk of RCE (CVE-2024-6387) until platforms update OpenSSH to a non-vulnerable version.# CVE-2024-6387 Mitigation Ansible Playbook
An Ansible Playbook to mitigate the risk of the regreSSHion RCE (CVE-2024-6387) vulnerability until platforms update OpenSSH to a non-vulnerable version.
The mitigation applied here is based on the [Mitigation Advice provided by Red Hat](https://access.redhat.com/security/cve/cve-2024-6387).
As noted there:
> Notice the sshd server will still be vulnerable to Denial of Service attacks due to there
> possibility os MaxStartups connection exhaustion, however it'll be safe against possible remote code execution attacks.
You should keep this in mind before applying the mitigation.
# Pre-requisites
- Ansible
- Linux server with OpenSSH Server installed
# Assumptions
- You have a drop-in configuration directory at: `/etc/ssh/sshd_config.d/`
- You are affected by CVE-2024-6387 - see affected package versions [here](https://www.qualys.com/regresshion-cve-2024-6387/).
- `ansible` user set up on target server(s) with sufficient permissions to write in `/etc/ssh/sshd_config.d/`.
Here, `sudo` permissions are assumed for best compatibility (though this is not necessarily the best approach).
The playbook also includes an alternative step (to replace the drop-in one) which
could be used to apply this patch in-place i.e. in the `/etc/ssh/sshd_config` file itself.
# Usage
```
ansible-playbook ./apply_mitigation.yaml --limit <your host group>
```
# Disclaimer
This Ansible playbook is provided AS IS WITHOUT WARRANTY and WITHOUT ANY LIABILITY.
If you break your SSHd configuration, servers or anything else, I take no responsibility.
Just sharing this to help others.
[4.0K] /data/pocs/f6a4ac72f86020372a58e0c23955bad1ac5f861f
├── [1.2K] apply_mitigation.yaml
├── [ 34K] LICENSE
└── [1.6K] README.md
0 directories, 3 files