Bug 1649607 (CVE-2018-16859)

Summary: CVE-2018-16859 ansible: become password logged in plaintext when used with PowerShell on Windows
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, abhgupta, ahardin, aos-bugs, apevec, athmanem, bbuckingham, bcourt, bkearney, bleanhar, bmcclain, ccoleman, chrisw, dajohnso, dbaker, dbecker, dblechte, dedgar, dfediuck, dmetzger, dominik.mierzejewski, eedri, eparis, gblomqui, gmccullo, gtanzill, jcammara, jfrey, jgoulding, jhardy, jjoyce, jokerman, jpadman, jprause, jschluet, jtanner, kbasil, kdixon, kevin, lhh, lpeer, markmc, maxim, mburns, mchappel, mgoldboi, michal.skrivanek, mmccomas, mmccune, mrike, obarenbo, ohadlevy, rchan, rhos-maint, rjerrido, roliveri, sbonazzo, sclewis, security-response-team, sherold, simaishi, sisharma, slinaber, smunilla, sparks, ssaha, sthangav, tbielawa, tdecacqu, tkuratom, trankin, tvignaud, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible-engine 2.5.13, ansible-engine 2.6.10, ansible-engine 2.7.4 Doc Type: If docs needed, set a value
Doc Text:
Execution of Ansible content on Microsoft's Windows platform with Powershell 5 or higher may disclose sensitive execution details including 'become' passwords, Ansible module arguments, and return values via Powershell's 'suspicious scriptblock logging' feature, which is enabled by default. The details are logged to the Powershell Operational log, which is visible to all authenticated users by default.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:42:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1649824, 1652768, 1652769, 1652770, 1652771, 1652772, 1652773, 1652774, 1652775, 1652802, 1652803, 1655758, 1655759, 1655760    
Bug Blocks: 1647641    

Description Sam Fowler 2018-11-14 03:52:17 UTC 
Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password.
Comment 3 Laura Pardo 2018-11-14 21:18:32 UTC 
Acknowledgments:

Name: Igor Turovsky
Comment 5 Joshua Padman 2018-11-15 04:58:38 UTC 
OpenShift Enterprise version 3.8 and later use Ansible from the Ansible repository. Notifications and fixes will come from this.
Comment 6 Joshua Padman 2018-11-22 21:48:28 UTC 
This issue affects the versions of ansible as shipped with OpenStack. However, this flaw is not known to be exploitable under any supported scenario in OpenStack as it specifically affects Microsoft Windows systems.
Comment 9 Borja Tarraso 2018-11-27 09:38:24 UTC 
External References:

https://github.com/ansible/ansible/pull/49142
Comment 10 Richard Maciel Costa 2018-11-30 20:36:14 UTC 
Previous description of this flaw was inaccurate. Disregard it and consider the following one:

Execution of Ansible content on Windows platforms with Powershell 5 or higher may disclose sensitive execution details (including 'become' passwords, Ansible module arguments, and return values) via Powershell's "suspicious scriptblock logging" feature, which is enabled by default. The details are logged to the Powershell Operational log, which is visible to all authenticated users by default. Ansible Engine 2.7 and older are believed to be vulnerable.
Comment 12 Borja Tarraso 2018-12-03 09:58:11 UTC 
This description should set on the doctext in order to update and correct the CVE description at mitre. Eric, could you review that?
Comment 17 Eric Christensen 2018-12-03 20:55:41 UTC 
In reply to comment #12:
> This description should set on the doctext in order to update and correct
> the CVE description at mitre. Eric, could you review that?

Updated.
Comment 18 errata-xmlrpc 2018-12-04 18:26:42 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.5 for RHEL 7

Via RHSA-2018:3770 https://access.redhat.com/errata/RHSA-2018:3770
Comment 19 errata-xmlrpc 2018-12-04 18:26:58 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2018:3773 https://access.redhat.com/errata/RHSA-2018:3773
Comment 20 errata-xmlrpc 2018-12-04 18:27:30 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.6 for RHEL 7

Via RHSA-2018:3771 https://access.redhat.com/errata/RHSA-2018:3771
Comment 21 errata-xmlrpc 2018-12-04 18:27:39 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2018:3772 https://access.redhat.com/errata/RHSA-2018:3772
Comment 22 errata-xmlrpc 2018-12-04 18:28:29 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2018:3772 https://access.redhat.com/errata/RHSA-2018:3772
Comment 24 Richard Maciel Costa 2018-12-04 22:13:33 UTC 
Statement:

CloudForms and Satellite 6 are not affected by this issue, since Microsoft Windows is not a supported platform.