Ansible Vulnerabilities 2019

Ansible Vulnerabilities

Firo Solutions Ansible vulnerability

Affecting:

Summary:

Christmas is closing by and we move in to the christmas feelings
we wanted to write something extra for christmas.
A tool we all love more then santa is Ansible !
Ansible is a opensource tool written in Python
used by system administrators to manage and deploy computer
servers and virtual machines.
Several vulnerabilities has now been reported that affects
ansible.

CVE-2019-14890

A vulnerability has been reported and found in Ansible Tower
which is a project by Red Hat.

A bug was found in Ansible Tower where the RHSM credentials
are saved in plain text in the database
that is available at ‘/api/v2/config’ after applying
the Ansible Tower license. Attackers with this information
could log into RHSM(Red Hat Subscription Management)
and modify licenses and make other changes.

The vulnerability has been given the CVE of CVE-2019-14890

The bug has been reported to redhat and patched in
the following link:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14890

CVE-2019-14856

Summary from the github issue

Convert CLI provided passwords to text initially, to
prevent unsafe context being lost when converting 
from bytes->text during
post processing of PlayContext. 
This prevents CLI provided passwords from
being incorrectly templated (CVE-2019-14856)

Update AnsibleUnsafeText and AnsibleUnsafeBytes
to maintain unsafe context by overriding .encode and .decode. This
prevents future issues with to_text, to_bytes, or to_native
removing the unsafe wrapper when converting between string types
(CVE-2019-14856)

Source: https://github.com/ansible/ansible/pull/63351

The patch for this vulnerability has been patched and the
code has changed

bugfixes:
- >
  **security issue** - Convert CLI provided passwords to text initially, to
  prevent unsafe context being lost when converting from bytes->text during
  post processing of PlayContext. This prevents CLI provided passwords from
  being incorrectly templated.
- >
  **security issue** - Update ``AnsibleUnsafeText`` and ``AnsibleUnsafeBytes``
  to maintain unsafe context by overriding ``.encode`` and ``.decode``. This
  prevents future issues with ``to_text``, ``to_bytes``, or ``to_native``
  removing the unsafe wrapper when converting between string types.		

The vulnerability has been given the CVE of CVE-2019-14856

Pull request:
https://github.com/ansible/ansible/pull/63351/commits

CVE-2019-10217

A vulnerability was found in the gcp_storage_object.py
function which cause the a failure when calling the
service_account_contents function.

The vulnerability has been given the CVE of CVE-2019-10217
The vulnerability was quickly reported to ansible
throw a github issue the problem was quickly addressed
and patched. https://github.com/ansible/ansible/issues/56269

External links:
Ansible
Ansible Tower
https://github.com/ansible/ansible/issues/56269
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14856

From us all to you all, we from firo wishes you a merry christmas
with a happy anouncement that we have pas over 300 000 unique views
on this blog! We are happy to provide you with this blog
and happily wishes you a merry christmas and a happy new year

This blog post is part of the exploit of the day series
where we write a shorter description about interesting
exploits that we index.