An Ansible Playbook to mitigate the risk of the regreSSHion RCE (CVE-2024-6387) vulnerability until platforms update OpenSSH to a non-vulnerable version.
The mitigation applied here is based on the Mitigation Advice provided by Red Hat. As noted there:
Notice the sshd server will still be vulnerable to Denial of Service attacks due to there possibility os MaxStartups connection exhaustion, however it'll be safe against possible remote code execution attacks.
You should keep this in mind before applying the mitigation.
- Ansible
- Linux server with OpenSSH Server installed
- You have a drop-in configuration directory at:
/etc/ssh/sshd_config.d/ - You are affected by CVE-2024-6387 - see affected package versions here.
ansibleuser set up on target server(s) with sufficient permissions to write in/etc/ssh/sshd_config.d/. Here,sudopermissions are assumed for best compatibility (though this is not necessarily the best approach).
The playbook also includes an alternative step (to replace the drop-in one) which
could be used to apply this patch in-place i.e. in the /etc/ssh/sshd_config file itself.
ansible-playbook ./apply_mitigation.yaml --limit <your host group>
This Ansible playbook is provided AS IS WITHOUT WARRANTY and WITHOUT ANY LIABILITY. If you break your SSHd configuration, servers or anything else, I take no responsibility.
Just sharing this to help others.