CVE-2020-1733: insecure temporary directory when running become_user from become directive

Description Borja Tarraso 2020-02-11 14:54:04 UTC

When a playbook runs a target on a Linux node with an unprivileged become user, a raced condition allows another user on the node to gain control of the become user. In addition, permissions of files owned by the original ssh user on the node can be modified.

When Ansible needs to run a module with become-user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p <dir>", this operation does not fail if the directory already exists and is owned by another user.

Comment 2 Borja Tarraso 2020-02-17 12:58:19 UTC

Acknowledgments:

Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab)

Comment 4 Borja Tarraso 2020-02-20 16:53:13 UTC

Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1805342] Affects: fedora-all [bug 1805341]

Comment 7 Yadnyawalk Tale 2020-02-20 22:43:53 UTC

Red Hat CloudForms Management Engine 5.9 is in maintenance phase and we’re no longer fixing “Medium” severity CVEs.

Comment 13 Borja Tarraso 2020-02-27 12:19:26 UTC

Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1807873]

Comment 22 Yadnyawalk Tale 2020-05-11 09:23:32 UTC

CloudForms 5.11 do not use ansible-tower and 5.10 only using ansible-tower-venv-ansible atm.

Comment 24 Summer Long 2021-01-14 04:53:58 UTC

Statement:

Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.

Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.

In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.