# CVE-2020-12351 Remediation Playbook v.1.0 # Copyright (c) 2020 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # Warning! Be sure to download the latest version of this script from its primary source: # https://access.redhat.com/security/vulnerabilities/5493631 # This playbook will blacklist affected kernel modules, and will attempt to remove them # if they are loaded. If the playbook is unable to remove them, you will need to reboot # affected systems for the module fake install to be effective. # To use this playbook, set the HOSTS extra var with the name of the hosts or group # you wish to modify: # ansible-playbook -e HOSTS=web,mail,ns1 CVE-2020-12351_blacklist_mitigate.yml # If you later wish to undo the changes made by this playbook, simply remove # /etc/modprobe.d/disable-bluetooth.conf - name: Disable bluetooth-related kernel modules hosts: "{{HOSTS}}" become: true vars: modules: - btusb - btrtl - btintel - btbcm - bnep - bluetooth tasks: - name: Disable bluetooth kernel modules when: ansible_distribution_major_version >= '7' block: - name: Blocklisting bluetooth kernel modules lineinfile: dest: /etc/modprobe.d/disable-bluetooth.conf line: "install {{ item }} /bin/true" owner: root group: root mode: 0644 state: present create: yes loop: "{{ modules | flatten(levels=1) }}" # Stop and disable the bluetooth service if it exists - name: Checking available services command: systemctl list-unit-files register: servicelist changed_when: false check_mode: no tags: - skip_ansible_lint - name: Disabling bluetooth service systemd: name: bluetooth state: stopped enabled: no masked: yes when: servicelist.stdout | default('') | regex_search('(bluetooth.service)') # Attempt to unload modules if any are loaded - name: Checking loaded modules command: awk '/^({{ modules | join('|') }})/ {print $1}' /proc/modules register: loaded_modules changed_when: false check_mode: no - name: Attempting to remove loaded modules command: modprobe -r {{ loaded_modules.stdout_lines | join(' -r ') }} register: modprobe ignore_errors: true when: loaded_modules.stdout_lines # If any modules could not be removed, a reboot is necessary - name: Set reboot fact when: modprobe is failed debug: msg="Unable to remove all active modules; please reboot."