Bug 1322925 (CVE-2016-3096)

Summary:	CVE-2016-3096 ansible: Code execution vulnerability in lxc_container
Product:	[Other] Security Response	Reporter:	Adam Mariš <amaris>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	a.badger, carnil, egolov, karlthered, kevin, sagarun, thomas.moschny
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-05-12 07:05:34 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1322926, 1322927
Bug Blocks:

Description Adam Mariš 2016-03-31 17:00:20 UTC

A vulnerability in lxc_container, ansible module, was found allowing to get root inside the container. The problem is in the create_script function, which tries to write to /opt/.lxc-attach-script inside of the container. If the attacker can write to /opt/.lxc-attach-script before that, he can overwrite arbitrary files or execute commands as root.

Comment 1 Adam Mariš 2016-03-31 17:00:33 UTC

Acknowledgments:

Name: Evgeni Golov (Red Hat)

Comment 2 Adam Mariš 2016-03-31 17:01:09 UTC

Created lxc tracking bugs for this issue:

Affects: fedora-all [bug 1322926]
Affects: epel-all [bug 1322927]

Comment 4 Thomas Moschny 2016-04-01 08:08:28 UTC

Wrong component? The problem seems to affect

/usr/lib/python2.7/site-packages/ansible/modules/extras/cloud/lxc/lxc_container.py

which is part of the ansible package.

Could you please check and re-assign.

Comment 5 Adam Mariš 2016-04-01 12:39:42 UTC

(In reply to Thomas Moschny from comment #4)
> Wrong component? The problem seems to affect
> 
> /usr/lib/python2.7/site-packages/ansible/modules/extras/cloud/lxc/
> lxc_container.py
> 
> which is part of the ansible package.
> 
> Could you please check and re-assign.

You're right, my bad. Thanks for notifying, moving to ansible.

Comment 6 Evgeni Golov 2016-04-01 12:48:12 UTC

Partial fix: https://github.com/ansible/ansible-modules-extras/commit/da84e2e9b83be6ebebbfd3be6776f391622c02fe
More fixes: https://github.com/ansible/ansible-modules-extras/pull/1941

Comment 7 Kevin Fenzi 2016-04-01 22:11:32 UTC

So, currently epel6/7 and fedora 22/23 stable updates has ansible 1.9.4 and ansible1.9-1.9.4. In updates-testing we have 2.0.1.0 for ansible. We don't want to push 2.0.x stable yet, we are waiting for 2.1 upstream to fix some issues many people will hit. 

1.9.4 is vulnerable to this issue, but it requires a local user with write to /opt to exploit it, and thats root only on fedora/epel by default. So, while we are vulnerable it's pretty difficult to exploit. 

2.0.x is also vulnerable and more so, since permissions were not setup correctly there.

Currently I think we will look at fixing this in a local 2.0.x patch and pushing that to testing in all the stable branches or in a 2.0.2 if the fix turns out difficult and waiting for 2.1 (due this month) to hopefully push to stable with the fix everywhere.

Comment 8 Toshio Ernie Kuratomi 2016-04-02 08:51:58 UTC

Evgeni's fixes merged upstream.  Will be in upstream releases 1.9.6, 2.0.2, and 2.1.0.

Comment 9 Toshio Ernie Kuratomi 2016-04-04 14:41:03 UTC

@Adam -- there's also an ansible1.9 package in fedora and epel for now (to ease transition to ansible-2.0).  I'm guessing you want to open bugs against that in fedora and epel as well.

Comment 10 Evgeni Golov 2016-04-05 07:34:59 UTC

FWIW, if you are already shipping updates to lxc_container.py, you might consider also including https://github.com/ansible/ansible-modules-extras/commit/6bfd2846f853b9beaeb01da6206d8ffa4abe7a4c

Comment 11 Fedora Update System 2016-04-25 22:21:02 UTC

ansible1.9-1.9.6-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2016-04-25 23:53:27 UTC

ansible1.9-1.9.6-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2016-04-30 00:20:29 UTC

ansible-2.0.2.0-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2016-04-30 00:24:31 UTC

ansible-2.0.2.0-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2016-05-07 12:02:54 UTC

ansible-2.0.2.0-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2016-05-07 14:05:09 UTC

ansible-2.0.2.0-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2016-05-07 14:33:32 UTC

ansible-2.0.2.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2016-05-15 02:41:54 UTC

ansible1.9-1.9.6-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2016-05-15 03:04:25 UTC

ansible1.9-1.9.6-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.