Created
January 27, 2021 13:09
-
-
Save humpalum/9a1274e90be8e1e1f9e9bd1bfbb2044b to your computer and use it in GitHub Desktop.
Ansible tasks to check for CVE-2021-3156
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # Ref: https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit | |
| # Simple tasks to check whether a host is vulnarable to CVE-2021-3156 | |
| # Make sure to use the when condition to upgrade the sudo package on the affected systems | |
| - name: Check sudo | |
| shell: sudoedit -s / || /bin/true | |
| register: sudoeditout | |
| become: true | |
| changed_when: false | |
| - name: Print not vulnarable | |
| debug: | |
| msg: "All good for '{{ inventory_hostname }}!'" | |
| when: '"usage: sudoedit" in sudoeditout.stderr' | |
| - name: Print vulnarable | |
| fail: | |
| msg: "'{{inventory_hostname}}' is vulnarable!" | |
| when: '"sudoedit: /:" in sudoeditout.stderr' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment