Bug 1802164 (CVE-2020-1738) - CVE-2020-1738 ansible: module package can be selected by the ansible facts
Summary: CVE-2020-1738 ansible: module package can be selected by the ansible facts
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-1738
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1808326 1814778 1804383 1804384 1804386 1804387 1805325 1805326 1805372 1805373 1805374 1805375 1805512 1807878
Blocks: 1801714
TreeView+ depends on / blocked
 
Reported: 2020-02-12 13:54 UTC by Borja Tarraso
Modified: 2020-07-06 09:30 UTC (History)
38 users (show)

Fixed In Version: ansible-engine 2.9.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file.
Clone Of:
Environment:
Last Closed: 2020-05-27 13:36:28 UTC


Attachments (Terms of Use)

Description Borja Tarraso 2020-02-12 13:54:01 UTC
When the module package or service is used and the parameter 'use' is not specified, the module that will be sent to the node is selected by the ansible_fact.

If a previous task is executed with a malicious user, the module sent can be selected by the attacker.

Additionally, if an Ansible collections are installed the attacker can send the module name to send a reverse shell in temp folder to the node as a binary module.

Comment 2 Borja Tarraso 2020-02-17 12:57:05 UTC
Acknowledgments:

Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab)

Comment 4 Salvatore Bonaccorso 2020-02-19 07:18:36 UTC
Borja, is there any upstream reference for this ansible issue?

Comment 5 Borja Tarraso 2020-02-20 16:43:59 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1805326]
Affects: fedora-all [bug 1805325]

Comment 6 Borja Tarraso 2020-02-20 17:01:53 UTC
Hey Salvatore, I am working to provide additional information regarding this issue; more details as you requested, affected versions as well as upstream links in case we already have. Prioritising this for now, I will get back to you asap.

In reply to comment #4:
> Borja, is there any upstream reference for this ansible issue?

Comment 9 Yadnyawalk Tale 2020-02-20 22:45:00 UTC
Red Hat CloudForms Management Engine 5.9 is in maintenance phase and we're no longer fixing "Low" severity CVEs.

Comment 13 Borja Tarraso 2020-02-27 10:21:40 UTC
Upstream fix: https://github.com/ansible/ansible/issues/67796

Comment 14 Borja Tarraso 2020-02-27 12:19:34 UTC
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1807878]

Comment 16 Hardik Vyas 2020-03-18 16:21:10 UTC
Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains its own version of Ansible. The fix will be provided from core Ansible. But we still ship ansible separately for ceph ubuntu.

Comment 18 Borja Tarraso 2020-03-27 07:26:59 UTC
Statement:

Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.

Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.

Comment 19 Borja Tarraso 2020-03-27 07:27:02 UTC
Mitigation:

Specify the parameter 'use' when possible on the package and service modules. Avoid using Ansible Collections on Ansible 2.8.9 or 2.7.16 (and any of the previous versions) as they are not rejecting python with no path (already fixed in 2.9.x).

Comment 20 Yadnyawalk Tale 2020-05-11 09:46:30 UTC
CloudForms 5.11 do not use ansible-tower and 5.10 only using ansible-tower-venv-ansible atm.


Note You need to log in before you can comment on or make changes to this bug.