Bug 1801804 (CVE-2020-1734) - CVE-2020-1734 ansible: shell enabled by default in a pipe lookup plugin subprocess
Summary: CVE-2020-1734 ansible: shell enabled by default in a pipe lookup plugin subpr...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-1734
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1804361 1804362 1804363 1804364 1805338 1805339 1805354 1805355 1805356 1805357 1805471 1807372 1807874 1814763
Blocks: 1801714
TreeView+ depends on / blocked
 
Reported: 2020-02-11 16:29 UTC by Borja Tarraso
Modified: 2021-02-16 20:35 UTC (History)
46 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts.
Clone Of:
Environment:
Last Closed: 2020-05-27 13:45:06 UTC
Embargoed:

Attachments (Terms of Use)

Description Borja Tarraso 2020-02-11 16:29:58 UTC 
The pipe lookup plugin uses subprocess.Popen() with shell=True. This can be used to run arbitrary commands by overwriting ansible facts and the variable is not escaped by quote plugin.
Comment 2 Borja Tarraso 2020-02-17 12:58:07 UTC 
Acknowledgments:

Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab)
Comment 4 Borja Tarraso 2020-02-20 16:51:53 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1805339]
Affects: fedora-all [bug 1805338]
Comment 5 Borja Tarraso 2020-02-20 17:04:05 UTC 
Working to provide additional information regarding this issue; more details as you requested, affected versions as well as upstream links in case we already have. Prioritising this for now.
Comment 7 Borja Tarraso 2020-02-20 18:07:38 UTC 
This was already reported (see https://github.com/ansible/ansible/issues/6550) but not fixed. The suggested correction is to use shell=False by default and add an argument to set it to True if needed. This issue seems it affects all supported versions.
Comment 9 Yadnyawalk Tale 2020-02-20 22:44:03 UTC 
Red Hat CloudForms Management Engine 5.9 is in maintenance phase and we're no longer fixing "Medium" severity CVEs.
Comment 12 Borja Tarraso 2020-02-25 13:58:18 UTC 
Mitigation:

This issue can be avoided by escaping variables which are used in the lookup.
Comment 14 Borja Tarraso 2020-02-27 10:27:19 UTC 
Upstream fix: https://github.com/ansible/ansible/issues/67792
Comment 15 Borja Tarraso 2020-02-27 12:19:26 UTC 
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1807874]
Comment 16 Hardik Vyas 2020-03-18 16:03:28 UTC 
Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains its own version of Ansible. The fix will be provided from core Ansible. But we still ship ansible separately for ceph ubuntu.
Comment 19 Yadnyawalk Tale 2020-05-11 09:35:29 UTC 
CloudForms 5.11 do not use ansible-tower and 5.10 only using ansible-tower-venv-ansible atm.
Comment 20 Summer Long 2021-01-14 04:55:34 UTC 
Statement:

Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.

Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.

In Red Hat OpenStack Platform, because the flaw has a lower impact,  ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.
Note You need to log in before you can comment on or make changes to this bug.