Bug 1914774 (CVE-2021-20178) - CVE-2021-20178 ansible: user data leak in snmp_facts module
Summary: CVE-2021-20178 ansible: user data leak in snmp_facts module
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20178
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1914807 1917331 1914806 1914808 1917287 1917330 1917332 1917333 1917334 1962577
Blocks: 1942838 1913193
TreeView+ depends on / blocked
 
Reported: 2021-01-11 08:19 UTC by Tapas Jena
Modified: 2021-11-21 20:34 UTC (History)
37 users (show)

Fixed In Version: ansible 2.9.18
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ansible. The 'authkey' and 'privkey' credentials are disclosed by default and not protected by no_log feature when using the snmp_facts module. Attackers could take advantage of this information to steal the SNMP credentials. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2021-02-24 19:02:24 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0663 0 None None None 2021-02-24 17:46:15 UTC
Red Hat Product Errata RHSA-2021:0664 0 None None None 2021-02-24 17:46:58 UTC

Description Tapas Jena 2021-01-11 08:19:29 UTC
snmp_facts module in Ansible leaks user authentication such as authKey and privKey. This could lead in disclosing those credentials for every user which has access to the output of playbook execution.

Comment 1 Tapas Jena 2021-01-11 08:19:34 UTC
Acknowledgments:

Name: Abhijeet Kasurde (Red Hat)

Comment 5 Salvatore Bonaccorso 2021-01-12 06:35:57 UTC
Hi

Is there a upstream issue reference for this issue?

Regards,
Salvatore

Comment 6 Tapas Jena 2021-01-12 10:15:09 UTC
Hi,
Please refer the below for upstream reference for this issue.
https://github.com/ansible-collections/community.general/pull/1621 

Kind Regards,
Tapas J

Comment 7 Salvatore Bonaccorso 2021-01-12 16:12:06 UTC
Hi Tapas,

Thank you.

Regards,
Salvatore

Comment 8 Borja Tarraso 2021-01-18 09:11:15 UTC
Created ansible tracking bugs for this issue:

Affects: fedora-all [bug 1917287]

Comment 9 Tapas Jena 2021-01-18 10:09:58 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1917330]

Comment 10 Tapas Jena 2021-01-18 10:14:38 UTC
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1917331]

Comment 16 errata-xmlrpc 2021-02-24 17:46:11 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 8
  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2021:0663 https://access.redhat.com/errata/RHSA-2021:0663

Comment 17 errata-xmlrpc 2021-02-24 17:46:55 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 8
  Red Hat Ansible Engine 2.9 for RHEL 7

Via RHSA-2021:0664 https://access.redhat.com/errata/RHSA-2021:0664

Comment 18 Product Security DevOps Team 2021-02-24 19:02:24 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20178

Comment 19 Hardik Vyas 2021-03-29 14:22:11 UTC
Statement:

The version of ansible shipped with Red Hat Gluster Storage (RHGS) 3 includes the vulnerable snmp module. However, RHGS 3 no longer maintains its own version of Ansible, prerequisite is to enable ansible repository in order to consume the latest version of ansible which has many bug and security fixes.

Comment 20 errata-xmlrpc 2021-04-06 13:20:42 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 1.2 for RHEL 7

Via RHSA-2021:1079 https://access.redhat.com/errata/RHSA-2021:1079

Comment 23 David Busby 2021-06-01 11:59:55 UTC
Please note the filing of CVE-2020-20178 links to this BZ (https://bugzilla.redhat.com/show_bug.cgi?id=1914774), (see: https://nvd.nist.gov/vuln/detail/CVE-2020-20178) 

However there is no mention of OpenLDAP issue being affected in this BZ despite the CVE filing noting the OpenLDAP issue "A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed by OpenLDAP’s slapd server, to trigger an assertion failure. The highest threat from this vulnerability is to system availability." 

Instead should the CVE filing note this BZ link: https://bugzilla.redhat.com/show_bug.cgi?id=1928774 and https://bugzilla.redhat.com/show_bug.cgi?id=1899675 instead of https://bugzilla.redhat.com/show_bug.cgi?id=1914774 ?

Comment 24 errata-xmlrpc 2021-06-01 13:23:33 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
  Red Hat Virtualization Engine 4.4
  Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8

Via RHSA-2021:2180 https://access.redhat.com/errata/RHSA-2021:2180


Note You need to log in before you can comment on or make changes to this bug.