1831089 – (CVE-2020-10729) CVE-2020-10729 Ansible: two random password lookups in same task return same value

Bug 1831089 (CVE-2020-10729) - CVE-2020-10729 Ansible: two random password lookups in same task return same value

Summary: CVE-2020-10729 Ansible: two random password lookups in same task return same ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-10729
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	Red Hat1810827 Red Hat1885435
Blocks:	Embargoed1831074
TreeView+	depends on / blocked

Reported:	2020-05-04 15:54 UTC by Borja Tarraso
Modified:	2021-02-16 20:07 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ansible-engine 2.9.6
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file.
Clone Of:
Environment:
Last Closed:	2020-05-05 08:19:23 UTC

Attachments	(Terms of Use)

Description Borja Tarraso 2020-05-04 15:54:13 UTC

Ansible template caching generates identical values when consecutive facts are created from password lookup with same length. Values should be different to prevent generate same passwords for different fields which can be used for different services or configurations and avoid exposing all of them at once.

Comment 1 Borja Tarraso 2020-05-04 15:55:05 UTC

Upstream fix: https://github.com/ansible/ansible/pull/67429/

Comment 3 Borja Tarraso 2020-05-04 16:33:39 UTC

From Product Security perspective this vulnerability could expose a really wide set of services and configurations depending of end users usage. CVSS score could be from non-existing in case of not using more than one look up password to critical if all of them are generated, so depending of how many values are generated and where they are used. Later consequences after these values are leaked or guessed somehow could become critical. For this is reason we would consider a blocker any revert of the current solution even if this could affect performance, to avoid exposing end users in worst cases scenarios. Adverse behavioural changes or performance issues must be taken as bugs or enhancements separately.

Comment 4 Borja Tarraso 2020-05-05 02:14:36 UTC

Acknowledgments:

Name: Rihards Olups

Comment 5 Borja Tarraso 2020-05-05 06:21:05 UTC

Fix included in the Ansible 2.9.6 release: https://access.redhat.com/errata/RHBA-2020:0784

Comment 6 Borja Tarraso 2020-05-05 07:37:15 UTC

External References:

https://github.com/ansible/ansible/issues/34144

Note You need to log in before you can comment on or make changes to this bug.