Bug 1856785 (CVE-2020-14327) - CVE-2020-14327 Tower: SSRF: Server Side Request Forgery on Credential
Summary: CVE-2020-14327 Tower: SSRF: Server Side Request Forgery on Credential
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-14327
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Red Hat1856788 Red Hat1856789
Blocks: Embargoed1856713
TreeView+ depends on / blocked
 
Reported: 2020-07-14 13:18 UTC by Borja Tarraso
Modified: 2021-02-16 19:41 UTC (History)
7 users (show)

Fixed In Version: ansible_tower 3.6.5, ansible_tower 3.7.2
Doc Type: If docs needed, set a value
Doc Text:
A Server-side request forgery (SSRF) flaw was found in Tower. Functionality on the Tower server is abused by supplying a URL that could lead to the server processing it. This flaw leads to the connection to internal services or the exposure of additional internal services by abusing the test feature of lookup credentials to forge HTTP/HTTPS requests from the server and retrieving the results of the response.
Clone Of:
Environment:
Last Closed: 2020-08-05 19:27:43 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3328 0 None None None 2020-08-05 14:46:53 UTC
Red Hat Product Errata RHSA-2020:3329 0 None None None 2020-08-05 14:47:19 UTC

Description Borja Tarraso 2020-07-14 13:18:26 UTC 
For a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or a modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.

In this case, any logged user can abuse of the test feature to forge HTTP/HTTPS requests from the awx server and get directly the result on the response. By default, the connector made a POST request to /authn/<account>/<username> authenticate to check the credential configuration. By using a malicious Apache server (with mod_rewrite), it is possible to generate any GET/POST (307 redirection) requests on the internal network. In addition, the POST request body can be managed by the user by using the api_key parameter and the proxy defined in the application setting was not taken in account.
Comment 1 Borja Tarraso 2020-07-14 13:18:29 UTC 
Statement:

Ansible Tower 3.7.1 and 3.6.4 as well as previous versions are affected.
Comment 4 Borja Tarraso 2020-07-20 08:14:37 UTC 
Acknowledgments:

Name: Maxime ESCOURBIAC (Michelin CERT team)
Comment 5 errata-xmlrpc 2020-08-05 14:46:51 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.7 for RHEL 7

Via RHSA-2020:3328 https://access.redhat.com/errata/RHSA-2020:3328
Comment 6 errata-xmlrpc 2020-08-05 14:47:16 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.6 for RHEL 7

Via RHSA-2020:3329 https://access.redhat.com/errata/RHSA-2020:3329
Comment 7 Product Security DevOps Team 2020-08-05 19:27:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14327
Note You need to log in before you can comment on or make changes to this bug.