Summary: | <app-admin/ansible-1.2.3: two vulnerabilities (CVE-2013-{4259,4260}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | pinkbyte |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-08-22 20:29:59 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=998223 : by default, ansible try to create a ControlMaster file in a predictible location in /tmp. This is vulnerable to a ssh socket injection attack like this : ~ $ sudo ln -s /tmp/ansible-ssh-elspeth.example.org-22-misc /tmp/ansible-ssh-sisay.example.org-22-misc ~ $ ansible -i 'elspeth.example.org,sisay.example.org' all -m shell -u misc -a hostname elspeth.example.org | success | rc=0 >> elspeth.example.org sisay.example.org | success | rc=0 >> elspeth.example.org I also did a test without using root, that's the same. Based on this attack, someone could divert the ssh connexion to another server, make it connect to a server under the control of attacker, and steal configuration file ( with passwords ), or steal password with a fake sudo ( since ansible can also use sudo ) Please note that you need to : - disable selinux # setenforce 0 - disable latest protection from the kernel # sysctl -w fs.protected_symlinks=0 # sysctl -w fs.protected_hardlinks=0 to make sure this work. I didn't found how/where ssh control the socket file for suitability, maybe it should I am not sure what could be a good fix. I do have a patch that put the socket in $XDG_RUNTIME_DIR but it is a very weak mitigation technique that do not work on older platform such as RHEL 6. Another solution would be to make sure the socket is created in specific temporary directory, but this could make the software much slower. And checking if the socket exist first is prone to race condition. Upstream was not contacted yet, and plan to release 1.3 around 2 weeks. Issue is not public ( but quite easy to spot ) @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not. I assume B3 for now, waiting for upstream... 1.2.3 released - https://groups.google.com/forum/#!topic/ansible-project/UVDYW0HGcNg + 02 Sep 2013; Sergey Popov <pinkbyte@gentoo.org> +ansible-1.2.3.ebuild, + ansible-9999.ebuild: + Version bump, wrt bug #482152. Sync live ebuild Ready for stabilization. Arches, please test and mark stable =app-admin/ansible-1.2.3 Target keywords: amd64 x86 (In reply to Sergey Popov from comment #4) > + 02 Sep 2013; Sergey Popov <pinkbyte@gentoo.org> +ansible-1.2.3.ebuild, > + ansible-9999.ebuild: > + Version bump, wrt bug #482152. Sync live ebuild I guess there happened a mistake, I don't see that version in tree. http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-admin/ansible/ (In reply to Agostino Sarubbo from comment #5) > I guess there happened a mistake, I don't see that version in tree. > http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-admin/ansible/ Yeah, sorry for that. Now - really commited. amd64 stable x86 stable Thanks for your work GLSA vote: no CVE-2013-4260 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4260): lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3, when playbook does not run due to an error, allows local users to overwrite arbitrary files via a symlink attack on a retry file with a predictable name in /var/tmp/ansible/. CVE-2013-4259 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4259): runner/connection_plugins/ssh.py in Ansible before 1.2.3, when using ControlPersist, allows local users to redirect a ssh session via a symlink attack on a socket file with a predictable name in /tmp/. GLSA vote: yes. GLSA vote: no. Closing as [noglsa] |