package and service modules allow arbitrary modules to be executed #67796
Assignees
Labels
affects_2.10
This issue/PR affects Ansible v2.10
bug
This issue/PR relates to a bug.
has_pr
This issue has an associated PR.
module
This issue/PR relates to a module.
packaging
Packaging category
security
Related to a vulnerability or CVE
support:core
This issue/PR relates to code supported by the Ansible Engineering Team.
system
System category
Comments
|
Files identified in the description: If these files are inaccurate, please update the |
ansibot
added
affects_2.10
Akasurde
added a commit
to Akasurde/ansible
that referenced
this issue
Feb 27, 2020
When 'use' parameter is not used in package and service module, ansible relies on ansible facts such as 'pkg_mgr' and 'service_mgr'. This would allow arbitrary code execution on the managed node. Fix is added by adding a whitelist of allowed package manager modules and service manager modules to avoid arbitrary code execution on the managed node. Fixes: ansible#67796 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Akasurde
added a commit
to Akasurde/ansible
that referenced
this issue
Feb 27, 2020
**security issue** (CVE-2020-1738) When 'use' parameter is not used in package and service module, ansible relies on ansible facts such as 'pkg_mgr' and 'service_mgr'. This would allow arbitrary code execution on the managed node. Fix is added by adding a whitelist of allowed package manager modules and service manager modules to avoid arbitrary code execution on the managed node. Fixes: ansible#67796 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Akasurde
added a commit
to Akasurde/ansible
that referenced
this issue
Feb 27, 2020
**security issue** (CVE-2020-1738) When 'use' parameter is not used in package and service module, ansible relies on ansible facts such as 'pkg_mgr' and 'service_mgr'. This would allow arbitrary code execution on the managed node. Fix is added by adding a whitelist of allowed package manager modules and service manager modules to avoid arbitrary code execution on the managed node. Fixes: ansible#67796 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Akasurde
added a commit
to Akasurde/ansible
that referenced
this issue
Apr 16, 2020
**security issue** (CVE-2020-1738) When 'use' parameter is not used in package and service module, ansible relies on ansible facts such as 'pkg_mgr' and 'service_mgr'. This would allow arbitrary code execution on the managed node. Fix is added by adding a whitelist of allowed package manager modules and service manager modules to avoid arbitrary code execution on the managed node. Fixes: ansible#67796 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Akasurde
added a commit
to Akasurde/ansible
that referenced
this issue
Apr 16, 2020
**security issue** (CVE-2020-1738) When 'use' parameter is not used in package and service module, ansible relies on ansible facts such as 'pkg_mgr' and 'service_mgr'. This would allow arbitrary code execution on the managed node. Fix is added by adding a whitelist of allowed package manager modules and service manager modules to avoid arbitrary code execution on the managed node. Fixes: ansible#67796 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
|
Going to close this one as it requires the remote to already be compromised in a way that this does not expand upon. To trigger this you already need to be able to either intercept communications with the target (so you can already alter payloads) or intercept what is executed on the target (so you already can control what is executed). As for having the user install malicious collection to use in conjunction with this to execute arbitrary code on the controller, instead you can have them install a malicious role and override builtin actions, which is a much simpler approach w/o requiring an additional exploited remote target. |
10 tasks
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
SUMMARY
CVE-2020-1738
Both
packageandservicemodules use facts to determine the name of the module to run ifuseis not passed to the module. Theansible_facts['pkg_mgr']andansible_facts['service_mgr']facts could be set to another module name or a module name installed in a collection such asansible_collections.namespace.name./tmp/reverse-shell, which would allow arbitrary code execution on the managed node.A potential fix would be to whitelist valid modules for
packageandserviceand/or have the collection loader validate the collection path to not allow arbitrary files.The collection loader part may already be fixed in 2.9.
ISSUE TYPE
COMPONENT NAME
lib/ansible/plugins/action/service.pylib/ansible/plugins/action/package.pyANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: