Bug 1322925 (CVE-2016-3096) - CVE-2016-3096 ansible: Code execution vulnerability in lxc_container
Summary: CVE-2016-3096 ansible: Code execution vulnerability in lxc_container
Status: CLOSED ERRATA
Alias: CVE-2016-3096
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20160331,repo...
Keywords: Security
Depends On: 1322926 1322927
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-31 17:00 UTC by Adam Mariš
Modified: 2019-06-08 21:06 UTC (History)
7 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-05-12 07:05:34 UTC


Attachments (Terms of Use)

Description Adam Mariš 2016-03-31 17:00:20 UTC
A vulnerability in lxc_container, ansible module, was found allowing to get root inside the container. The problem is in the create_script function, which tries to write to /opt/.lxc-attach-script inside of the container. If the attacker can write to /opt/.lxc-attach-script before that, he can overwrite arbitrary files or execute commands as root.

Comment 1 Adam Mariš 2016-03-31 17:00:33 UTC
Acknowledgments:

Name: Evgeni Golov (Red Hat)

Comment 2 Adam Mariš 2016-03-31 17:01:09 UTC
Created lxc tracking bugs for this issue:

Affects: fedora-all [bug 1322926]
Affects: epel-all [bug 1322927]

Comment 4 Thomas Moschny 2016-04-01 08:08:28 UTC
Wrong component? The problem seems to affect

/usr/lib/python2.7/site-packages/ansible/modules/extras/cloud/lxc/lxc_container.py

which is part of the ansible package.

Could you please check and re-assign.

Comment 5 Adam Mariš 2016-04-01 12:39:42 UTC
(In reply to Thomas Moschny from comment #4)
> Wrong component? The problem seems to affect
> 
> /usr/lib/python2.7/site-packages/ansible/modules/extras/cloud/lxc/
> lxc_container.py
> 
> which is part of the ansible package.
> 
> Could you please check and re-assign.

You're right, my bad. Thanks for notifying, moving to ansible.

Comment 7 Kevin Fenzi 2016-04-01 22:11:32 UTC
So, currently epel6/7 and fedora 22/23 stable updates has ansible 1.9.4 and ansible1.9-1.9.4. In updates-testing we have 2.0.1.0 for ansible. We don't want to push 2.0.x stable yet, we are waiting for 2.1 upstream to fix some issues many people will hit. 

1.9.4 is vulnerable to this issue, but it requires a local user with write to /opt to exploit it, and thats root only on fedora/epel by default. So, while we are vulnerable it's pretty difficult to exploit. 

2.0.x is also vulnerable and more so, since permissions were not setup correctly there.

Currently I think we will look at fixing this in a local 2.0.x patch and pushing that to testing in all the stable branches or in a 2.0.2 if the fix turns out difficult and waiting for 2.1 (due this month) to hopefully push to stable with the fix everywhere.

Comment 8 Toshio Ernie Kuratomi 2016-04-02 08:51:58 UTC
Evgeni's fixes merged upstream.  Will be in upstream releases 1.9.6, 2.0.2, and 2.1.0.

Comment 9 Toshio Ernie Kuratomi 2016-04-04 14:41:03 UTC
@Adam -- there's also an ansible1.9 package in fedora and epel for now (to ease transition to ansible-2.0).  I'm guessing you want to open bugs against that in fedora and epel as well.

Comment 10 Evgeni Golov 2016-04-05 07:34:59 UTC
FWIW, if you are already shipping updates to lxc_container.py, you might consider also including https://github.com/ansible/ansible-modules-extras/commit/6bfd2846f853b9beaeb01da6206d8ffa4abe7a4c

Comment 11 Fedora Update System 2016-04-25 22:21:02 UTC
ansible1.9-1.9.6-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2016-04-25 23:53:27 UTC
ansible1.9-1.9.6-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2016-04-30 00:20:29 UTC
ansible-2.0.2.0-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2016-04-30 00:24:31 UTC
ansible-2.0.2.0-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2016-05-07 12:02:54 UTC
ansible-2.0.2.0-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2016-05-07 14:05:09 UTC
ansible-2.0.2.0-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2016-05-07 14:33:32 UTC
ansible-2.0.2.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2016-05-15 02:41:54 UTC
ansible1.9-1.9.6-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2016-05-15 03:04:25 UTC
ansible1.9-1.9.6-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.