Bug 1776943 (CVE-2019-14905) - CVE-2019-14905 Ansible: malicious code could craft filename in nxos_file_copy module
Summary: CVE-2019-14905 Ansible: malicious code could craft filename in nxos_file_copy...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14905
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1777277 1777278 1777279 1777280 1777691 1777692 1777693 1783064 1783065 1785152 1828837 1828838 1828839
Blocks: 1760304
TreeView+ depends on / blocked
 
Reported: 2019-11-26 15:49 UTC by Borja Tarraso
Modified: 2021-02-16 20:58 UTC (History)
41 users (show)

Fixed In Version: ansible-engine 2.9.4, ansible-engine 2.8.8, ansible-engine 2.7.16
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.
Clone Of:
Environment:
Last Closed: 2020-01-23 20:09:31 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0215 0 None None None 2020-01-23 16:48:43 UTC
Red Hat Product Errata RHSA-2020:0216 0 None None None 2020-01-23 16:48:56 UTC
Red Hat Product Errata RHSA-2020:0217 0 None None None 2020-01-23 16:45:35 UTC
Red Hat Product Errata RHSA-2020:0218 0 None None None 2020-01-23 16:49:08 UTC

Description Borja Tarraso 2019-11-26 15:49:36 UTC 
A vulnerability has been found in nxos_file_copy from Ansible module. Filenames are used to perform actions to copy files to a flash or bootflash on NXOS devices. However, nxos_file_copy takes remote_file parameter which is used for destination. Malicious code could crafts the filename parameter to take advantage by performing an OS command injection.
Comment 1 Borja Tarraso 2019-11-26 15:49:38 UTC 
Acknowledgments:

Name: Abhijeet Kasurde (Red Hat)
Comment 4 Borja Tarraso 2019-11-28 05:49:51 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1777693]
Affects: fedora-all [bug 1777692]
Affects: openstack-rdo [bug 1777691]
Comment 7 Abhijeet Kasurde 2019-12-02 07:22:41 UTC 
Adding Ganesh Nalawade who is fixing this issue.
Comment 12 Ganesh 2019-12-15 05:45:57 UTC 
PR fixed and merged to devel https://github.com/ansible/ansible/pull/65423
Backport PR's
2.9 -> https://github.com/ansible/ansible/pull/65846
2.8 -> https://github.com/ansible/ansible/pull/65847
2.7 -> https://github.com/ansible/ansible/pull/65848
Comment 13 Hardik Vyas 2019-12-19 09:41:07 UTC 
Gluster and Ceph no more maintains ansible, and the plan is to use from ansible repository. But we still ship ansible separately in ceph ubuntu.
Comment 16 bulletins-coordon 2020-01-02 11:40:22 UTC 
Hi Red Hat Team.

Happy new year ^_^

Could you please recheck on 2.9.2 ?

We think Ansible 2.9.2 is also vulnerable. We checked the source files of 2.9.2 ; and the related commit [1] was not embedded.

Ansible 2.8.8 and 2.7.16 are not released yet [2] so we can't check.

Regards, 

Wilfried
CERT Orange Cyberdefense

[1] https://github.com/ansible/ansible/pull/65846/commits/254d8032520b712a27eef0f907e911545d593604
[2] https://github.com/ansible/ansible/releases
Comment 18 Borja Tarraso 2020-01-02 13:20:28 UTC 
Hi Wilfried,

Many thanks for the report. Indeed you are right, 2.9.2 it is still vulnerable. The fix was getting ready to fix on the 2.9.2 release. However, for some reason the PR was blocked. I updated and corrected that information and contacted the engineer if there is any estimations and technicalities regarding the fix.

Regards,
Borja
Comment 20 Nick Tait 2020-01-08 20:13:06 UTC 
Mitigation:

There is no mitigation for this issue, the flaw can only be resolved by applying updates.
Comment 21 errata-xmlrpc 2020-01-23 16:45:33 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2020:0217 https://access.redhat.com/errata/RHSA-2020:0217
Comment 22 errata-xmlrpc 2020-01-23 16:48:41 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 7
  Red Hat Ansible Engine 2.9 for RHEL 8

Via RHSA-2020:0215 https://access.redhat.com/errata/RHSA-2020:0215
Comment 23 errata-xmlrpc 2020-01-23 16:48:55 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2020:0216 https://access.redhat.com/errata/RHSA-2020:0216
Comment 24 errata-xmlrpc 2020-01-23 16:49:06 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2020:0218 https://access.redhat.com/errata/RHSA-2020:0218
Comment 25 Product Security DevOps Team 2020-01-23 20:09:31 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14905
Comment 33 Yadnyawalk Tale 2020-04-22 10:25:28 UTC 
Red Hat CloudForms 5.10 (4.7) and 5.11 (5.0) do not ship `ansible` package, it is provided by the official Ansible repository.
Comment 35 Summer Long 2021-01-18 01:10:27 UTC 
Statement:

Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.

Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 no longer maintain their own version of Ansible. Therefore this fix will be consumed directly from core Ansible.

In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.
Note You need to log in before you can comment on or make changes to this bug.