lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20140722013637.GG17656@core.inversepath.com>
Date: Tue, 22 Jul 2014 03:36:37 +0200
From: Andrea Barisani <lcars@...rt.org>
To: oss-security@...ts.openwall.com, ocert-announce@...ts.ocert.org,
  bugtraq@...urityfocus.com
Subject: [oCERT-2014-004] Ansible input sanitization errors


#2014-004 Ansible input sanitization errors

Description:

The Ansible project is an open source configuration management platform.

The Ansible platform suffers from input sanitization errors that allow
arbitrary code execution as well as information leak, in case an attacker is
able to control certain playbook variables.

The first vulnerability involves the escalation of a local permission access
level into arbitrary code execution. The code execution can be triggered by
interpolation of file names maliciously crafted as lookup plugin commands, in
combination with its pipe feature.

The second vulnerability concerns the unsafe parsing of action arguments in
the face of an attacker controlling variable data (whether fact data,
with_fileglob data, or other sources), allowing an attacker to supply their
own options to an action. The impact of this is dependent on the action
module the attacker targets. For example, an attacker controlling variables
passed to the copy or template actions would be able to trigger arbitrary
code execution (in addition to simple information leakage) via the validate
option's acceptance of arbitrary shell code.

Affected version:

Ansible <= 1.6.6

Fixed version:

Ansible >= 1.6.7

Credit: vulnerability report received from Brian Harring <ferringb AT
        gmail.com>.

CVE: CVE-2014-4966 (lookup function), CVE-2014-4967 (action arguments)

Timeline:

2014-07-01: vulnerability report received
2014-07-02: contacted Ansible maintainers
2014-07-02: disclosure coordinated on 2014-07-17
2014-07-15: assigned CVEs
2014-07-06: maintainer provides patch for review
2014-07-17: maintainer provides updated patch based on reporter's feedback
2014-07-17: embargo date lifted due to ongoing evaluations of patch
            effectiveness and additional reporter feedback
2014-07-17: maintainer provides updated patch which provides solutions for
            additional findings
2014-07-18: disclosure date updated to 2014-07-21
2014-07-18: maintainer provides updated patch for review
2014-07-20: maintainer provides updated patch indicating all reported
            issues as closed
2014-07-21: advisory release

References:
http://www.ansible.com

Permalink:
http://www.ocert.org/advisories/ocert-2014-004.html

-- 
Andrea Barisani |                Founder & Project Coordinator
          oCERT | OSS Computer Security Incident Response Team

<lcars@...rt.org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ