-
Notifications
You must be signed in to change notification settings - Fork 23.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
package and service modules allow arbitrary modules to be executed #67796
Comments
Files identified in the description: If these files are inaccurate, please update the |
When 'use' parameter is not used in package and service module, ansible relies on ansible facts such as 'pkg_mgr' and 'service_mgr'. This would allow arbitrary code execution on the managed node. Fix is added by adding a whitelist of allowed package manager modules and service manager modules to avoid arbitrary code execution on the managed node. Fixes: ansible#67796 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
**security issue** (CVE-2020-1738) When 'use' parameter is not used in package and service module, ansible relies on ansible facts such as 'pkg_mgr' and 'service_mgr'. This would allow arbitrary code execution on the managed node. Fix is added by adding a whitelist of allowed package manager modules and service manager modules to avoid arbitrary code execution on the managed node. Fixes: ansible#67796 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
**security issue** (CVE-2020-1738) When 'use' parameter is not used in package and service module, ansible relies on ansible facts such as 'pkg_mgr' and 'service_mgr'. This would allow arbitrary code execution on the managed node. Fix is added by adding a whitelist of allowed package manager modules and service manager modules to avoid arbitrary code execution on the managed node. Fixes: ansible#67796 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
**security issue** (CVE-2020-1738) When 'use' parameter is not used in package and service module, ansible relies on ansible facts such as 'pkg_mgr' and 'service_mgr'. This would allow arbitrary code execution on the managed node. Fix is added by adding a whitelist of allowed package manager modules and service manager modules to avoid arbitrary code execution on the managed node. Fixes: ansible#67796 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
**security issue** (CVE-2020-1738) When 'use' parameter is not used in package and service module, ansible relies on ansible facts such as 'pkg_mgr' and 'service_mgr'. This would allow arbitrary code execution on the managed node. Fix is added by adding a whitelist of allowed package manager modules and service manager modules to avoid arbitrary code execution on the managed node. Fixes: ansible#67796 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Going to close this one as it requires the remote to already be compromised in a way that this does not expand upon. To trigger this you already need to be able to either intercept communications with the target (so you can already alter payloads) or intercept what is executed on the target (so you already can control what is executed). As for having the user install malicious collection to use in conjunction with this to execute arbitrary code on the controller, instead you can have them install a malicious role and override builtin actions, which is a much simpler approach w/o requiring an additional exploited remote target. |
SUMMARY
CVE-2020-1738
Both
package
andservice
modules use facts to determine the name of the module to run ifuse
is not passed to the module. Theansible_facts['pkg_mgr']
andansible_facts['service_mgr']
facts could be set to another module name or a module name installed in a collection such asansible_collections.namespace.name./tmp/reverse-shell
, which would allow arbitrary code execution on the managed node.A potential fix would be to whitelist valid modules for
package
andservice
and/or have the collection loader validate the collection path to not allow arbitrary files.The collection loader part may already be fixed in 2.9.
ISSUE TYPE
COMPONENT NAME
lib/ansible/plugins/action/service.py
lib/ansible/plugins/action/package.py
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: