Bug 1831089 (CVE-2020-10729) - CVE-2020-10729 Ansible: two random password lookups in same task return same value
Summary: CVE-2020-10729 Ansible: two random password lookups in same task return same ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10729
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1810827 1885435
Blocks: 1831074
TreeView+ depends on / blocked
 
Reported: 2020-05-04 15:54 UTC by Borja Tarraso
Modified: 2021-02-16 20:07 UTC (History)
6 users (show)

Fixed In Version: ansible-engine 2.9.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file.
Clone Of:
Environment:
Last Closed: 2020-05-05 08:19:23 UTC


Attachments (Terms of Use)

Description Borja Tarraso 2020-05-04 15:54:13 UTC
Ansible template caching generates identical values when consecutive facts are created from password lookup with same length. Values should be different to prevent generate same passwords for different fields which can be used for different services or configurations and avoid exposing all of them at once.

Comment 1 Borja Tarraso 2020-05-04 15:55:05 UTC
Upstream fix: https://github.com/ansible/ansible/pull/67429/

Comment 3 Borja Tarraso 2020-05-04 16:33:39 UTC
From Product Security perspective this vulnerability could expose a really wide set of services and configurations depending of end users usage. CVSS score could be from non-existing in case of not using more than one look up password to critical if all of them are generated, so depending of how many values are generated and where they are used. Later consequences after these values are leaked or guessed somehow could become critical. For this is reason we would consider a blocker any revert of the current solution even if this could affect performance, to avoid exposing end users in worst cases scenarios. Adverse behavioural changes or performance issues must be taken as bugs or enhancements separately.

Comment 4 Borja Tarraso 2020-05-05 02:14:36 UTC
Acknowledgments:

Name: Rihards Olups

Comment 5 Borja Tarraso 2020-05-05 06:21:05 UTC
Fix included in the Ansible 2.9.6 release: https://access.redhat.com/errata/RHBA-2020:0784

Comment 6 Borja Tarraso 2020-05-05 07:37:15 UTC
External References:

https://github.com/ansible/ansible/issues/34144


Note You need to log in before you can comment on or make changes to this bug.