Bug 1801735 (CVE-2020-1733)

Summary: CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, amctagga, amoralej, anharris, bniver, dbecker, dmetzger, flucifre, gblomqui, gmainwar, gmccullo, gmeno, gtanzill, hvyas, jcammara, jfrey, jhardy, jjoyce, jlaska, jschluet, jtanner, kbasil, kdixon, kevin, lhh, lpeer, maxim, mbenjamin, mburns, mhackett, obarenbo, puebele, rhos-maint, roliveri, sclewis, security-response-team, simaishi, sisharma, slinaber, slong, smallamp, tkuratom, tvignaud, vbellur, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible-engine 2.7.17, ansible-engine 2.8.11, ansible-engine 2.9.7 Doc Type: If docs needed, set a value
Doc Text:
A race condition flaw was found in Ansible Engine when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p <dir>"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc/<pid>/cmdline'.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-22 16:31:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1804357, 1804358, 1804359, 1804360, 1805341, 1805342, 1805349, 1805350, 1805351, 1805352, 1805448, 1806420, 1807873, 1814755    
Bug Blocks: 1801714    

Description Borja Tarraso 2020-02-11 14:54:04 UTC 
When a playbook runs a target on a Linux node with an unprivileged become user, a raced condition allows another user on the node to gain control of the become user. In addition, permissions of files owned by the original ssh user on the node can be modified.

When Ansible needs to run a module with become-user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p <dir>", this operation does not fail if the directory already exists and is owned by another user.
Comment 2 Borja Tarraso 2020-02-17 12:58:19 UTC 
Acknowledgments:

Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab)
Comment 4 Borja Tarraso 2020-02-20 16:53:13 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1805342]
Affects: fedora-all [bug 1805341]
Comment 7 Yadnyawalk Tale 2020-02-20 22:43:53 UTC 
Red Hat CloudForms Management Engine 5.9 is in maintenance phase and we're no longer fixing "Medium" severity CVEs.
Comment 12 Borja Tarraso 2020-02-27 10:28:47 UTC 
Upstream fix: https://github.com/ansible/ansible/issues/67791
Comment 13 Borja Tarraso 2020-02-27 12:19:26 UTC 
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1807873]
Comment 17 errata-xmlrpc 2020-04-22 14:09:13 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 7
  Red Hat Ansible Engine 2.9 for RHEL 8

Via RHSA-2020:1541 https://access.redhat.com/errata/RHSA-2020:1541
Comment 18 errata-xmlrpc 2020-04-22 14:09:31 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2020:1542 https://access.redhat.com/errata/RHSA-2020:1542
Comment 19 errata-xmlrpc 2020-04-22 14:09:49 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2020:1543 https://access.redhat.com/errata/RHSA-2020:1543
Comment 20 errata-xmlrpc 2020-04-22 14:10:07 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2020:1544 https://access.redhat.com/errata/RHSA-2020:1544
Comment 21 Product Security DevOps Team 2020-04-22 16:31:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1733
Comment 22 Yadnyawalk Tale 2020-05-11 09:23:32 UTC 
CloudForms 5.11 do not use ansible-tower and 5.10 only using ansible-tower-venv-ansible atm.
Comment 23 Borja Tarraso 2020-05-29 14:15:22 UTC 
Mitigation:

This issue can be mitigated by mounting the proc filesystem with hidepid=2 option (https://www.kernel.org/doc/Documentation/filesystems/proc.txt). This way only the user used by Ansible will be able to perform the attack as users on the system will be able to access only their processes /proc/$PID/ directories.

Also note that mounting proc filesystem with hidepid=2 might require re-mounting it on unpatched kernels, due to a kernel bug (see https://unix.stackexchange.com/questions/584054/why-procfs-mount-option-only-working-on-remount), there will be hidepid=3 in the future (https://patchwork.kernel.org/patch/11310217/).
Comment 24 Summer Long 2021-01-14 04:53:58 UTC 
Statement:

Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.

Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.

In Red Hat OpenStack Platform, because the flaw has a lower impact,  ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.