CVE-2021-3156 "Baron Samedit" - patching RHEL-7 & RHEL-5 hosts

Date: 2021-02-15

Categories: sudo, CVE-2021-3156, Baron Samedit, security, linux, Ansible

Background

Yesterday, I posted a simple Ansible playbook to automate the verification of the patch status of hosts against the sudo vulnerability CVE-2021-3156.

In case anyone finds it helpful, I'm sharing my playbook for patching RHEL-5 and RHEL-7 hosts.

In an ideal world there would be no more RHEL-5 hosts since even the Extended Life Cycle Support for RHEL-5 ended on November 30, 2020. However, I think we can agreee that we don't live in an ideal world, unfortunately.

Playbook Usage

Assumptions

The playbook assumes that RHEL-7 hosts can reach thier repos normally, but that the RHEL-5 hosts are on a restricted vlan without internet access, and also that the Ansible control host can reach the internet to fetch packages and push said packages to the RHEL-5 hosts.

Actions

Running the playbook will download the RHEL-5 32-bit & 64-bit rpm packages and PGP keys from the sudo-project to the Ansible host. This is idempotent, so you only need to fetch the files once. Note: you should add a line like *.rpm to your .gitignore to avoid checking rpm packages into git.

Next, we have two blocks, each with a when: conditional. The first block executes when the OS is RHEL-7, based on Ansible facts and simply uses the yum module to ensure the sudo package is at the latest version.

The second block similarly only runs when the host is RHEL-5. It copies the appropriate RPM (based on the system architecture) to the remote host along with the PGP keys. Next, it imports the pgp keys, then does a local install of the sudo rpm, and finally removes all temp files which were copied over.

If you had the need to patch RHEL-6 hosts, the playbook could be easily extended with a similar pattern.