Bug 1831089 (CVE-2020-10729)

Summary: CVE-2020-10729 Ansible: two random password lookups in same task return same value
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bcoca, jcammara, jtanner, rtillery, sdoran, tkuratom
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible-engine 2.9.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-05 08:19:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1810827, 1885435    
Bug Blocks: 1831074    

Description Borja Tarraso 2020-05-04 15:54:13 UTC 
Ansible template caching generates identical values when consecutive facts are created from password lookup with same length. Values should be different to prevent generate same passwords for different fields which can be used for different services or configurations and avoid exposing all of them at once.
Comment 1 Borja Tarraso 2020-05-04 15:55:05 UTC 
Upstream fix: https://github.com/ansible/ansible/pull/67429/
Comment 3 Borja Tarraso 2020-05-04 16:33:39 UTC 
From Product Security perspective this vulnerability could expose a really wide set of services and configurations depending of end users usage. CVSS score could be from non-existing in case of not using more than one look up password to critical if all of them are generated, so depending of how many values are generated and where they are used. Later consequences after these values are leaked or guessed somehow could become critical. For this is reason we would consider a blocker any revert of the current solution even if this could affect performance, to avoid exposing end users in worst cases scenarios. Adverse behavioural changes or performance issues must be taken as bugs or enhancements separately.
Comment 4 Borja Tarraso 2020-05-05 02:14:36 UTC 
Acknowledgments:

Name: Rihards Olups
Comment 5 Borja Tarraso 2020-05-05 06:21:05 UTC 
Fix included in the Ansible 2.9.6 release: https://access.redhat.com/errata/RHBA-2020:0784
Comment 6 Borja Tarraso 2020-05-05 07:37:15 UTC 
External References:

https://github.com/ansible/ansible/issues/34144