- This document details an Ansible playbook designed to address the critical vulnerability (CVE-2024-3094) identified in xz-Utils versions 5.6.0 and 5.6.1. This vulnerability, classified as a backdoor, grants attackers unauthorized access to affected systems by bypassing SSH authentication.
- A critical backdoor vulnerability was discovered in xz-Utils versions 5.6.0 and 5.6.1 on March 29, 2024. This vulnerability allows attackers to bypass SSH authentication and gain unauthorized access to affected systems. It is crucial to patch vulnerable systems immediately to mitigate potential security risks.
-
The provided Ansible playbook addresses this vulnerability by:
- Gathering Package Facts: The package_facts module gathers information about installed packages, including their versions.
- Version Check: A debug module extracts the base version of the xz-utils package from the gathered facts.
- Patching Vulnerable Systems: The package module installs a known-safe version (safe_version) of xz-utils if the system's current version matches the vulnerable versions (5.6.0 or 5.6.1).
- The playbook consists of three main YAML files:
-
tasks/main.yaml: This file defines the core tasks of the playbook.
- It gathers package facts using package_facts.
- It checks the extracted base version using a debug module.
- It conditionally installs a safe version (safe_version) using package if the system has a vulnerable version.
--- - name: Gather package facts ansible.builtin.package_facts: manager: auto register: package_facts - name: Print the current version of {{ package_name }} ansible.builtin.debug: var: package_facts.ansible_facts.packages['{{ package_name }}'][0].version.split('-')[0] register: version_check - name: Install safe version of {{ package_name }} ansible.builtin.package: name: '{{ package_name }}={{ safe_version }}' state: present when: version_check=={{non_safe_version1}} or version_check=={{non_safe_version2}}
-
defaults/main.yaml: This file defines default variables used throughout the playbook.
- package_name: Name of the package to be patched (set to xz-utils).
- non_safe_version1: First vulnerable version (set to 5.6.0).
- non_safe_version2: Second vulnerable version (set to 5.6.1).
- safe_version: Known-safe version to install (set to 5.4.6).
--- package_name: xz-utils non_safe_version1: 5.6.0 non_safe_version2: 5.6.1 safe_version: 5.4.6
-
playbook.yaml: This file defines the overall execution flow.
- It targets a host group named machines.
- It includes the xz-utils_checkout role, which likely contains tasks specific to handling the xz-utils package update (not provided here).
--- - name: patch xz-utils hosts: machines roles: - xz_utils_patch
- By following these steps and deploying this playbook, you can effectively patch the critical xz-Utils vulnerability and secure your systems from potential unauthorized access.