Bug 1649607 (CVE-2018-16859) - CVE-2018-16859 ansible: become password logged in plaintext when used with PowerShell on Windows
Summary: CVE-2018-16859 ansible: become password logged in plaintext when used with Po...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-16859
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1649824 1652768 1652769 1652770 1652771 1652772 1652773 1652774 1652775 1652802 1652803 1655758 1655759 1655760
Blocks: 1647641
TreeView+ depends on / blocked
 
Reported: 2018-11-14 03:52 UTC by Sam Fowler
Modified: 2021-02-16 22:46 UTC (History)
73 users (show)

Fixed In Version: ansible-engine 2.5.13, ansible-engine 2.6.10, ansible-engine 2.7.4
Doc Type: If docs needed, set a value
Doc Text:
Execution of Ansible content on Microsoft's Windows platform with Powershell 5 or higher may disclose sensitive execution details including 'become' passwords, Ansible module arguments, and return values via Powershell's 'suspicious scriptblock logging' feature, which is enabled by default. The details are logged to the Powershell Operational log, which is visible to all authenticated users by default.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:42:38 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3770 0 None None None 2018-12-04 18:27:00 UTC
Red Hat Product Errata RHSA-2018:3771 0 None None None 2018-12-04 18:27:53 UTC
Red Hat Product Errata RHSA-2018:3772 0 None None None 2018-12-04 18:28:53 UTC
Red Hat Product Errata RHSA-2018:3773 0 None None None 2018-12-04 18:27:17 UTC

Description Sam Fowler 2018-11-14 03:52:17 UTC 
Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password.
Comment 3 Laura Pardo 2018-11-14 21:18:32 UTC 
Acknowledgments:

Name: Igor Turovsky
Comment 5 Joshua Padman 2018-11-15 04:58:38 UTC 
OpenShift Enterprise version 3.8 and later use Ansible from the Ansible repository. Notifications and fixes will come from this.
Comment 6 Joshua Padman 2018-11-22 21:48:28 UTC 
This issue affects the versions of ansible as shipped with OpenStack. However, this flaw is not known to be exploitable under any supported scenario in OpenStack as it specifically affects Microsoft Windows systems.
Comment 9 Borja Tarraso 2018-11-27 09:38:24 UTC 
External References:

https://github.com/ansible/ansible/pull/49142
Comment 10 Richard Maciel Costa 2018-11-30 20:36:14 UTC 
Previous description of this flaw was inaccurate. Disregard it and consider the following one:

Execution of Ansible content on Windows platforms with Powershell 5 or higher may disclose sensitive execution details (including 'become' passwords, Ansible module arguments, and return values) via Powershell's "suspicious scriptblock logging" feature, which is enabled by default. The details are logged to the Powershell Operational log, which is visible to all authenticated users by default. Ansible Engine 2.7 and older are believed to be vulnerable.
Comment 12 Borja Tarraso 2018-12-03 09:58:11 UTC 
This description should set on the doctext in order to update and correct the CVE description at mitre. Eric, could you review that?
Comment 17 Eric Christensen 2018-12-03 20:55:41 UTC 
In reply to comment #12:
> This description should set on the doctext in order to update and correct
> the CVE description at mitre. Eric, could you review that?

Updated.
Comment 18 errata-xmlrpc 2018-12-04 18:26:42 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.5 for RHEL 7

Via RHSA-2018:3770 https://access.redhat.com/errata/RHSA-2018:3770
Comment 19 errata-xmlrpc 2018-12-04 18:26:58 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2018:3773 https://access.redhat.com/errata/RHSA-2018:3773
Comment 20 errata-xmlrpc 2018-12-04 18:27:30 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.6 for RHEL 7

Via RHSA-2018:3771 https://access.redhat.com/errata/RHSA-2018:3771
Comment 21 errata-xmlrpc 2018-12-04 18:27:39 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2018:3772 https://access.redhat.com/errata/RHSA-2018:3772
Comment 22 errata-xmlrpc 2018-12-04 18:28:29 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2018:3772 https://access.redhat.com/errata/RHSA-2018:3772
Comment 24 Richard Maciel Costa 2018-12-04 22:13:33 UTC 
Statement:

CloudForms and Satellite 6 are not affected by this issue, since Microsoft Windows is not a supported platform.
Note You need to log in before you can comment on or make changes to this bug.