Bug 1914774 (CVE-2021-20178) - CVE-2021-20178 ansible: user data leak in snmp_facts module
Summary: CVE-2021-20178 ansible: user data leak in snmp_facts module
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20178
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1914806 1914807 1914808 1917287 1917330 1917331 1917332 1917333 1917334 1962577
Blocks: 1913193 1942838
TreeView+ depends on / blocked
 
Reported: 2021-01-11 08:19 UTC by Tapas Jena
Modified: 2024-02-14 15:16 UTC (History)
36 users (show)

Fixed In Version: ansible 2.9.18
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ansible. The 'authkey' and 'privkey' credentials are disclosed by default and not protected by no_log feature when using the snmp_facts module. Attackers could take advantage of this information to steal the SNMP credentials. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2021-02-24 19:02:24 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0663 0 None None None 2021-02-24 17:46:15 UTC
Red Hat Product Errata RHSA-2021:0664 0 None None None 2021-02-24 17:46:58 UTC

Description Tapas Jena 2021-01-11 08:19:29 UTC 
snmp_facts module in Ansible leaks user authentication such as authKey and privKey. This could lead in disclosing those credentials for every user which has access to the output of playbook execution.
Comment 1 Tapas Jena 2021-01-11 08:19:34 UTC 
Acknowledgments:

Name: Abhijeet Kasurde (Red Hat)
Comment 5 Salvatore Bonaccorso 2021-01-12 06:35:57 UTC 
Hi

Is there a upstream issue reference for this issue?

Regards,
Salvatore
Comment 6 Tapas Jena 2021-01-12 10:15:09 UTC 
Hi,
Please refer the below for upstream reference for this issue.
https://github.com/ansible-collections/community.general/pull/1621 

Kind Regards,
Tapas J
Comment 7 Salvatore Bonaccorso 2021-01-12 16:12:06 UTC 
Hi Tapas,

Thank you.

Regards,
Salvatore
Comment 8 Borja Tarraso 2021-01-18 09:11:15 UTC 
Created ansible tracking bugs for this issue:

Affects: fedora-all [bug 1917287]
Comment 9 Tapas Jena 2021-01-18 10:09:58 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1917330]
Comment 10 Tapas Jena 2021-01-18 10:14:38 UTC 
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1917331]
Comment 16 errata-xmlrpc 2021-02-24 17:46:11 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 8
  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2021:0663 https://access.redhat.com/errata/RHSA-2021:0663
Comment 17 errata-xmlrpc 2021-02-24 17:46:55 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 8
  Red Hat Ansible Engine 2.9 for RHEL 7

Via RHSA-2021:0664 https://access.redhat.com/errata/RHSA-2021:0664
Comment 18 Product Security DevOps Team 2021-02-24 19:02:24 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20178
Comment 19 Hardik Vyas 2021-03-29 14:22:11 UTC 
Statement:

The version of ansible shipped with Red Hat Gluster Storage (RHGS) 3 includes the vulnerable snmp module. However, RHGS 3 no longer maintains its own version of Ansible, prerequisite is to enable ansible repository in order to consume the latest version of ansible which has many bug and security fixes.
Comment 20 errata-xmlrpc 2021-04-06 13:20:42 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 1.2 for RHEL 7

Via RHSA-2021:1079 https://access.redhat.com/errata/RHSA-2021:1079
Comment 23 David Busby 2021-06-01 11:59:55 UTC 
Please note the filing of CVE-2020-20178 links to this BZ (https://bugzilla.redhat.com/show_bug.cgi?id=1914774), (see: https://nvd.nist.gov/vuln/detail/CVE-2020-20178) 

However there is no mention of OpenLDAP issue being affected in this BZ despite the CVE filing noting the OpenLDAP issue "A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed by OpenLDAP’s slapd server, to trigger an assertion failure. The highest threat from this vulnerability is to system availability." 

Instead should the CVE filing note this BZ link: https://bugzilla.redhat.com/show_bug.cgi?id=1928774 and https://bugzilla.redhat.com/show_bug.cgi?id=1899675 instead of https://bugzilla.redhat.com/show_bug.cgi?id=1914774 ?
Comment 24 errata-xmlrpc 2021-06-01 13:23:33 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
  Red Hat Virtualization Engine 4.4
  Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8

Via RHSA-2021:2180 https://access.redhat.com/errata/RHSA-2021:2180
Note You need to log in before you can comment on or make changes to this bug.