Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 482152 (CVE-2013-4259) - <app-admin/ansible-1.2.3: two vulnerabilities (CVE-2013-{4259,4260})
Summary: <app-admin/ansible-1.2.3: two vulnerabilities (CVE-2013-{4259,4260})
Status: RESOLVED FIXED
Alias: CVE-2013-4259
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-22 20:29 UTC by Agostino Sarubbo
Modified: 2014-01-27 11:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-08-22 20:29:59 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=998227 :

Since version 1.2 of ansible, failed run ( due to connexion errors, or config error ) are listed 
into /var/tmp/ansible/$script_name.yml , with $script_name being the script name used ( or rather 
the playbook, in ansible linguo )

There is no verification on the file or directory here, and /var/tmp is world writable. 

Worst, due to it using a subdirectory under /var/tmp, some symlink protection may not apply ( not 
tested ). For example, if i create a directory /var/tmp/ansible with owner misc:users and a symlink 
to a file of joe, the kernel would permit to follow since the symlink and owner of the directory 
match. This permit to erase file content among others. I am not sure what kind of specific attack 
could be made by injecting ip and hostname in a specific file, but I am sure this exist.

Code is on 
https://github.com/ansible/ansible/blob/devel/lib/ansible/playbook/__init__.py#L480

Upstream was not notified yet AFAIK.

I do have a patch almost ready that do :
- verify the permission/owner of directory 
- create a unique directory derived from username ( so predictable ) with proper permission if 
doesn't exist

I just need to review and test.

The current code do cope with lack of permission on the directory so even if someone create a 
directory in advance, this will be handled "gracefully" ( I think a message would be better )
Comment 1 Agostino Sarubbo gentoo-dev 2013-08-22 20:30:03 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=998223 :

by default, ansible try to create a ControlMaster file in a predictible location in /tmp. This is vulnerable to a ssh socket injection attack like this :

~ $ sudo ln -s /tmp/ansible-ssh-elspeth.example.org-22-misc /tmp/ansible-ssh-sisay.example.org-22-misc


~ $ ansible -i 'elspeth.example.org,sisay.example.org' all -m shell -u misc -a hostname
elspeth.example.org | success | rc=0 >>
elspeth.example.org

sisay.example.org | success | rc=0 >>
elspeth.example.org

I also did a test without using root, that's the same.
Based on this attack, someone could divert the ssh connexion to another server, make it connect to a server under the control of attacker, and steal configuration file ( 
with passwords ), or steal password with a fake sudo ( since ansible can also use sudo )

Please note that you need to :
- disable selinux
# setenforce 0

- disable latest protection from the kernel 

# sysctl -w fs.protected_symlinks=0
# sysctl -w fs.protected_hardlinks=0

to make sure this work.
I didn't found how/where ssh control the socket file for suitability, maybe it should


I am not sure what could be a good fix. I do have a patch that put the socket in $XDG_RUNTIME_DIR but it is a very weak mitigation technique that do not work on older 
platform such as RHEL 6. 

Another solution would be to make sure the socket is created in specific temporary directory, but this could make the software much slower.

And checking if the socket exist first is prone to race condition.

Upstream was not contacted yet, and plan to release 1.3 around 2 weeks. Issue is not public ( but quite easy to spot )


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 2 Sergey Popov (RETIRED) gentoo-dev 2013-08-23 08:23:30 UTC
I assume B3 for now, waiting for upstream...
Comment 3 Sergey Popov (RETIRED) gentoo-dev 2013-09-02 09:35:58 UTC
1.2.3 released - https://groups.google.com/forum/#!topic/ansible-project/UVDYW0HGcNg
Comment 4 Sergey Popov (RETIRED) gentoo-dev 2013-09-02 11:14:51 UTC
+  02 Sep 2013; Sergey Popov <pinkbyte@gentoo.org> +ansible-1.2.3.ebuild,
+  ansible-9999.ebuild:
+  Version bump, wrt bug #482152. Sync live ebuild

Ready for stabilization.

Arches, please test and mark stable =app-admin/ansible-1.2.3

Target keywords: amd64 x86
Comment 5 Agostino Sarubbo gentoo-dev 2013-09-03 09:03:21 UTC
(In reply to Sergey Popov from comment #4)
> +  02 Sep 2013; Sergey Popov <pinkbyte@gentoo.org> +ansible-1.2.3.ebuild,
> +  ansible-9999.ebuild:
> +  Version bump, wrt bug #482152. Sync live ebuild

I guess there happened a mistake, I don't see that version in tree.
http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-admin/ansible/
Comment 6 Sergey Popov (RETIRED) gentoo-dev 2013-09-03 15:11:32 UTC
(In reply to Agostino Sarubbo from comment #5)
> I guess there happened a mistake, I don't see that version in tree.
> http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-admin/ansible/

Yeah, sorry for that. Now - really commited.
Comment 7 Agostino Sarubbo gentoo-dev 2013-09-04 12:47:06 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-09-14 10:13:39 UTC
x86 stable
Comment 9 Sergey Popov (RETIRED) gentoo-dev 2013-09-15 11:46:34 UTC
Thanks for your work

GLSA vote: no
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-09-17 22:36:04 UTC
CVE-2013-4260 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4260):
  lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3, when
  playbook does not run due to an error, allows local users to overwrite
  arbitrary files via a symlink attack on a retry file with a predictable name
  in /var/tmp/ansible/.

CVE-2013-4259 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4259):
  runner/connection_plugins/ssh.py in Ansible before 1.2.3, when using
  ControlPersist, allows local users to redirect a ssh session via a symlink
  attack on a socket file with a predictable name in /tmp/.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2013-09-25 11:01:02 UTC
GLSA vote: yes.
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-27 11:26:10 UTC
GLSA vote: no.

Closing as [noglsa]