Pazar, Aralık 22, 2024

CVE-2024-3094 Kontrol Amaçlı Ansible Task

siber güvenlik temalı görsel, siber güvenlik yüksek çözünürlüklü logo

Toplu bütün makinelerde Zafiyet kontrolü yapmak isteyenler için CVE-2024-3094 xz sürüm kontrolü yapan ve çıktı basan ansible taskı

- hosts: all
  tasks:
  - name: Run CVE-2024-3094 vulnerability check script
    shell: |
      set -eu

      echo "Checking system for CVE-2024-3094 Vulnerability..."
      echo "https://nvd.nist.gov/vuln/detail/CVE-2024-3094"

      # find path to liblzma used by sshd
      # adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4
      sshd_path=$(whereis -b sshd | awk '{print $2}')
      path=$(ldd "$sshd_path" 2>/dev/null | grep -o '/.*liblzma[^ ]*' | head -1)

      if [ -z "$path" ]; then
          echo
          echo "Probably not vulnerable (liblzma not found)"
          exit
      fi

      # check for function signature
      # adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4
      echo
      echo "Checking for function signature in liblzma..."
      if hexdump -ve '1/1 "%.2x"' "$path" | grep -q 'f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410'; then
          echo "Function signature in liblzma: VULNERABLE"
      else
          echo "Function signature in liblzma: OK"
      fi

      # check xz version
      echo
      echo "Checking xz version..."
      xz_version=$(xz --version | head -n1 | awk '{print $4}')
      if [[ "$xz_version" == "5.6.0" || "$xz_version" == "5.6.1" ]]; then
          echo "xz version $xz_version: VULNERABLE"
      else
          echo "xz version $xz_version: OK"
      fi
    register: script_output

  - debug:
      var: script_output.stdout_lines
ShellScript