CVE-2021-3156 "Baron Samedit" sudo vulnerability - checking hosts

Date: 2021-02-14

Categories: sudo, CVE-2021-3156, Baron Samedit, security, linux, Ansible

Background

Hopefully you are already certain all Linux systems you maintain have been patched to remediate the recent nasty sudo vulnerability, but sometimes it is nice to do yet another sweep through the environment to verify there are no lingering unpatched hosts.

I wrote a quick Ansible playbook to check if a host is vulnerable or patched.

Ansible Playbook Usage

You can run the playbook like this:

anisble-playbook -K -i test-inventory check-sudo-vuln-CVE-2021-3156.yml -e target=testing

The -K is to "Prompt for the password to use with sudo, if any", if you have passwordless sudo for your account on your remote servers, you can omit this flag.

The -i is to allow you to point to a particular Anisble inventory file. I'm using one called "test-inventory" for purposes of...testing.

The -e is to pass an extra variable where we define the variable "target" as being equal to "testing". The "testing" target is a host group defined in the inventory file.

The simple test-inventory file looks like this:

[testing]
host01
host02

Ansible Playbook Output

Running the playbook will produce output similar to:

TASK [Show Vulnerable Hosts] ********************************
skipping: [host01]
ok: [host02] => {
   "msg": "VULNERABLE: host02"
}

Any host which is patched will be skipped by the "Show Vulnerable Hosts" task. Any vulnerable host will be logged with the message "VULNERABLE: $hostName".

It would be nicer if there was a way to get the output of vulnerable hosts to not show "ok" but I have not found a good way to change that in Ansible. Basically, the task to "show vulnerable hosts" succeeded, so that is why we see "ok" in the playbook output. As a workaround, I tried setting the task to always fail and ignore errors (so execution of the playbook doesn't stop), which flags the entire task as red, but the output is more cluttered with debug information so I opted not to use that method.

Hopefully this is helpful to someone!