Bug 1801735 (CVE-2020-1733)
Summary: | CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | a.badger, amctagga, amoralej, anharris, bniver, dbecker, dmetzger, flucifre, gblomqui, gmainwar, gmccullo, gmeno, gtanzill, hvyas, jcammara, jfrey, jhardy, jjoyce, jlaska, jschluet, jtanner, kbasil, kdixon, kevin, lhh, lpeer, maxim, mbenjamin, mburns, mhackett, obarenbo, puebele, rhos-maint, roliveri, sclewis, security-response-team, simaishi, sisharma, slinaber, slong, smallamp, tkuratom, tvignaud, vbellur, vereddy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ansible-engine 2.7.17, ansible-engine 2.8.11, ansible-engine 2.9.7 | Doc Type: | If docs needed, set a value |
Doc Text: |
A race condition flaw was found in Ansible Engine when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p <dir>"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc/<pid>/cmdline'.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-22 16:31:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1804357, 1804358, 1804359, 1804360, 1805341, 1805342, 1805349, 1805350, 1805351, 1805352, 1805448, 1806420, 1807873, 1814755 | ||
Bug Blocks: | 1801714 |
Description
Borja Tarraso
2020-02-11 14:54:04 UTC
Acknowledgments: Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab) Created ansible tracking bugs for this issue: Affects: epel-all [bug 1805342] Affects: fedora-all [bug 1805341] Red Hat CloudForms Management Engine 5.9 is in maintenance phase and we're no longer fixing "Medium" severity CVEs. Upstream fix: https://github.com/ansible/ansible/issues/67791 Created ansible tracking bugs for this issue: Affects: openstack-rdo [bug 1807873] This issue has been addressed in the following products: Red Hat Ansible Engine 2.9 for RHEL 7 Red Hat Ansible Engine 2.9 for RHEL 8 Via RHSA-2020:1541 https://access.redhat.com/errata/RHSA-2020:1541 This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Red Hat Ansible Engine 2 for RHEL 8 Via RHSA-2020:1542 https://access.redhat.com/errata/RHSA-2020:1542 This issue has been addressed in the following products: Red Hat Ansible Engine 2.8 for RHEL 7 Red Hat Ansible Engine 2.8 for RHEL 8 Via RHSA-2020:1543 https://access.redhat.com/errata/RHSA-2020:1543 This issue has been addressed in the following products: Red Hat Ansible Engine 2.7 for RHEL 7 Via RHSA-2020:1544 https://access.redhat.com/errata/RHSA-2020:1544 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1733 CloudForms 5.11 do not use ansible-tower and 5.10 only using ansible-tower-venv-ansible atm. Mitigation: This issue can be mitigated by mounting the proc filesystem with hidepid=2 option (https://www.kernel.org/doc/Documentation/filesystems/proc.txt). This way only the user used by Ansible will be able to perform the attack as users on the system will be able to access only their processes /proc/$PID/ directories. Also note that mounting proc filesystem with hidepid=2 might require re-mounting it on unpatched kernels, due to a kernel bug (see https://unix.stackexchange.com/questions/584054/why-procfs-mount-option-only-working-on-remount), there will be hidepid=3 in the future (https://patchwork.kernel.org/patch/11310217/). Statement: Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected. Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected. In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package. |