Bug 1802193 (CVE-2020-1740) - CVE-2020-1740 ansible: secrets readable after ansible-vault edit
Summary: CVE-2020-1740 ansible: secrets readable after ansible-vault edit
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-1740
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Red Hat1804369 Red Hat1804370 Red Hat1804371 Red Hat1804372 1805318 1805319 Red Hat1805381 Red Hat1805382 Red Hat1805383 Red Hat1805384 Red Hat1805522 Red Hat1807389 1807880 Red Hat1814786
Blocks: Embargoed1801714
TreeView+ depends on / blocked
 
Reported: 2020-02-12 14:52 UTC by Borja Tarraso
Modified: 2021-02-16 20:35 UTC (History)
38 users (show)

Fixed In Version: ansible-engine 2.7.17, ansible-engine 2.8.11, ansible-engine 2.9.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely.
Clone Of:
Environment:
Last Closed: 2020-04-22 16:32:05 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2150 0 None None None 2020-05-14 11:25:11 UTC
Red Hat Product Errata RHBA-2020:2251 0 None None None 2020-05-21 19:05:05 UTC
Red Hat Product Errata RHSA-2020:1541 0 None None None 2020-04-22 14:09:21 UTC
Red Hat Product Errata RHSA-2020:1542 0 None None None 2020-04-22 14:09:39 UTC
Red Hat Product Errata RHSA-2020:1543 0 None None None 2020-04-22 14:10:03 UTC
Red Hat Product Errata RHSA-2020:1544 0 None None None 2020-04-22 14:10:16 UTC

Description Borja Tarraso 2020-02-12 14:52:01 UTC 
When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreate it insecurely.
Comment 2 Borja Tarraso 2020-02-17 12:59:16 UTC 
Acknowledgments:

Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab)
Comment 4 Salvatore Bonaccorso 2020-02-19 07:15:06 UTC 
Is there any futher information on this issue? Is the issue reported upstream, which versions are affected?
Comment 5 Borja Tarraso 2020-02-20 16:38:55 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1805319]
Affects: fedora-all [bug 1805318]
Comment 6 Borja Tarraso 2020-02-20 17:01:26 UTC 
Hey Salvatore, I am working to provide additional information regarding this issue; more details as you requested, affected versions as well as upstream links in case we already have. Prioritising this for now, I will get back to you asap.

In reply to comment #4:
> Is there any futher information on this issue? Is the issue reported
> upstream, which versions are affected?
Comment 9 Yadnyawalk Tale 2020-02-20 22:45:14 UTC 
Red Hat CloudForms Management Engine 5.9 is in maintenance phase and we're no longer fixing "Low" severity CVEs.
Comment 12 Borja Tarraso 2020-02-25 15:04:53 UTC 
Mitigation:

Currently, there is no mitigation for this issue except avoid using the 'edit' option from 'ansible-vault' command line tool.
Comment 15 Borja Tarraso 2020-02-27 10:18:03 UTC 
Upstream fix: https://github.com/ansible/ansible/issues/67798
Comment 16 Borja Tarraso 2020-02-27 12:19:37 UTC 
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1807880]
Comment 17 Hardik Vyas 2020-03-18 16:28:10 UTC 
Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains its own version of Ansible. The fix will be provided from core Ansible. But we still ship ansible separately for ceph ubuntu.
Comment 20 errata-xmlrpc 2020-04-22 14:09:19 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 7
  Red Hat Ansible Engine 2.9 for RHEL 8

Via RHSA-2020:1541 https://access.redhat.com/errata/RHSA-2020:1541
Comment 21 errata-xmlrpc 2020-04-22 14:09:37 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2020:1542 https://access.redhat.com/errata/RHSA-2020:1542
Comment 22 errata-xmlrpc 2020-04-22 14:10:01 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2020:1543 https://access.redhat.com/errata/RHSA-2020:1543
Comment 23 errata-xmlrpc 2020-04-22 14:10:14 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2020:1544 https://access.redhat.com/errata/RHSA-2020:1544
Comment 24 Product Security DevOps Team 2020-04-22 16:32:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1740
Comment 25 Yadnyawalk Tale 2020-05-11 09:46:55 UTC 
CloudForms 5.11 do not use ansible-tower and 5.10 only using ansible-tower-venv-ansible atm.
Comment 26 Summer Long 2021-01-14 05:03:43 UTC 
Statement:

Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.

Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.

In Red Hat OpenStack Platform, because the flaw has a lower impact,  ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.
Note You need to log in before you can comment on or make changes to this bug.