Bug 1801735 (CVE-2020-1733) - CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive
Summary: CVE-2020-1733 ansible: insecure temporary directory when running become_user ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-1733
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1806420 1814755 1804357 1804358 1804359 1804360 1805341 1805342 1805349 1805350 1805351 1805352 1805448 1807873
Blocks: 1801714
TreeView+ depends on / blocked
 
Reported: 2020-02-11 14:54 UTC by Borja Tarraso
Modified: 2020-05-29 14:15 UTC (History)
37 users (show)

Fixed In Version: ansible-engine 2.7.17, ansible-engine 2.8.11, ansible-engine 2.9.7
Doc Type: If docs needed, set a value
Doc Text:
A race condition flaw was found in Ansible Engine when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p <dir>"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc/<pid>/cmdline'.
Clone Of:
Environment:
Last Closed: 2020-04-22 16:31:48 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2150 None None None 2020-05-14 11:25:02 UTC
Red Hat Product Errata RHBA-2020:2251 None None None 2020-05-21 19:04:59 UTC
Red Hat Product Errata RHSA-2020:1541 None None None 2020-04-22 14:09:15 UTC
Red Hat Product Errata RHSA-2020:1542 None None None 2020-04-22 14:09:33 UTC
Red Hat Product Errata RHSA-2020:1543 None None None 2020-04-22 14:09:51 UTC
Red Hat Product Errata RHSA-2020:1544 None None None 2020-04-22 14:10:09 UTC

Description Borja Tarraso 2020-02-11 14:54:04 UTC
When a playbook runs a target on a Linux node with an unprivileged become user, a raced condition allows another user on the node to gain control of the become user. In addition, permissions of files owned by the original ssh user on the node can be modified.

When Ansible needs to run a module with become-user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p <dir>", this operation does not fail if the directory already exists and is owned by another user.

Comment 2 Borja Tarraso 2020-02-17 12:58:19 UTC
Acknowledgments:

Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab)

Comment 4 Borja Tarraso 2020-02-20 16:53:13 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1805342]
Affects: fedora-all [bug 1805341]

Comment 7 Yadnyawalk Tale 2020-02-20 22:43:53 UTC
Red Hat CloudForms Management Engine 5.9 is in maintenance phase and we're no longer fixing "Medium" severity CVEs.

Comment 12 Borja Tarraso 2020-02-27 10:28:47 UTC
Upstream fix: https://github.com/ansible/ansible/issues/67791

Comment 13 Borja Tarraso 2020-02-27 12:19:26 UTC
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1807873]

Comment 16 Borja Tarraso 2020-03-27 07:22:21 UTC
Statement:

Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.

Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.

Comment 17 errata-xmlrpc 2020-04-22 14:09:13 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 7
  Red Hat Ansible Engine 2.9 for RHEL 8

Via RHSA-2020:1541 https://access.redhat.com/errata/RHSA-2020:1541

Comment 18 errata-xmlrpc 2020-04-22 14:09:31 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2020:1542 https://access.redhat.com/errata/RHSA-2020:1542

Comment 19 errata-xmlrpc 2020-04-22 14:09:49 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2020:1543 https://access.redhat.com/errata/RHSA-2020:1543

Comment 20 errata-xmlrpc 2020-04-22 14:10:07 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2020:1544 https://access.redhat.com/errata/RHSA-2020:1544

Comment 21 Product Security DevOps Team 2020-04-22 16:31:48 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1733

Comment 22 Yadnyawalk Tale 2020-05-11 09:23:32 UTC
CloudForms 5.11 do not use ansible-tower and 5.10 only using ansible-tower-venv-ansible atm.

Comment 23 Borja Tarraso 2020-05-29 14:15:22 UTC
Mitigation:

This issue can be mitigated by mounting the proc filesystem with hidepid=2 option (https://www.kernel.org/doc/Documentation/filesystems/proc.txt). This way only the user used by Ansible will be able to perform the attack as users on the system will be able to access only their processes /proc/$PID/ directories.

Also note that mounting proc filesystem with hidepid=2 might require re-mounting it on unpatched kernels, due to a kernel bug (see https://unix.stackexchange.com/questions/584054/why-procfs-mount-option-only-working-on-remount), there will be hidepid=3 in the future (https://patchwork.kernel.org/patch/11310217/).


Note You need to log in before you can comment on or make changes to this bug.