CVE-2020-1733: Race Condition
First published: Tue Feb 11 2020(Updated: )
A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p <dir>"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc/<pid>/cmdline'.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ansible | <0:2.7.17-1.el7ae | 0:2.7.17-1.el7ae |
| redhat/ansible | <0:2.8.11-1.el7ae | 0:2.8.11-1.el7ae |
| redhat/ansible | <0:2.8.11-1.el8ae | 0:2.8.11-1.el8ae |
| redhat/ansible | <0:2.9.7-1.el7ae | 0:2.9.7-1.el7ae |
| redhat/ansible | <0:2.9.7-1.el8ae | 0:2.9.7-1.el8ae |
| Redhat Ansible | <=2.7.16 | |
| Redhat Ansible | >=2.8.0<2.8.8 | |
| Redhat Ansible | >=2.9.0<=2.9.5 | |
| Redhat Ansible Tower | <=3.3.4 | |
| Redhat Ansible Tower | >=3.3.5<=3.4.5 | |
| Redhat Ansible Tower | >=3.5.0<=3.5.5 | |
| Redhat Ansible Tower | >=3.6.0<=3.6.3 | |
| Redhat Cloudforms Management Engine | =5.0 | |
| Redhat Openstack | =13 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =10.0 | |
| debian/ansible | 2.7.7+dfsg-1+deb10u1 2.7.7+dfsg-1+deb10u2 2.10.7+merged+base+2.10.8+dfsg-1 7.3.0+dfsg-1 7.7.0+dfsg-3 | |
| redhat/ansible-engine | <2.7.17 | 2.7.17 |
| redhat/ansible-engine | <2.8.11 | 2.8.11 |
| redhat/ansible-engine | <2.9.7 | 2.9.7 |
| pip/ansible | >=2.9.0a1<2.9.7 | 2.9.7 |
| pip/ansible | >=2.8.0a1<2.8.11 | 2.8.11 |
| pip/ansible | >=0<2.7.17 | 2.7.17 |
Remedy
This issue can be mitigated by mounting the proc filesystem with hidepid=2 option (https://www.kernel.org/doc/Documentation/filesystems/proc.txt). This way only the user used by Ansible will be able to perform the attack as users on the system will be able to access only their processes /proc/$PID/ directories. Also note that mounting proc filesystem with hidepid=2 might require re-mounting it on unpatched kernels, due to a kernel bug (see https://unix.stackexchange.com/questions/584054/why-procfs-mount-option-only-working-on-remount), there will be hidepid=3 in the future (https://patchwork.kernel.org/patch/11310217/).
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-1733 https://nvd.nist.gov/vuln/detail/CVE-2020-1733
- https://bugzilla.redhat.com/show_bug.cgi?id=1801735
- https://access.redhat.com/errata/RHSA-2020:1544
- https://access.redhat.com/errata/RHSA-2020:1543
- https://access.redhat.com/errata/RHSA-2020:1541
- https://access.redhat.com/errata/RHSA-2020:1542
- https://access.redhat.com/security/cve/cve-2020-1733
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733
- https://github.com/ansible/ansible/issues/67791
- https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
- https://security.gentoo.org/glsa/202006-11
- https://www.debian.org/security/2021/dsa-4950
- https://github.com/ansible/ansible/pull/68921
- https://github.com/ansible/ansible/commit/8077d8e40148fe77e2393caa5f2b2ea855149d63
- https://security-tracker.debian.org/tracker/CVE-2020-1733
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1805342
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1805341
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1807873
- https://www.kernel.org/doc/Documentation/filesystems/proc.txt
- https://unix.stackexchange.com/questions/584054/why-procfs-mount-option-only-working-on-remount
- https://patchwork.kernel.org/patch/11310217/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
- https://nvd.nist.gov/vuln/detail/CVE-2020-1733
- https://github.com/ansible/ansible/commit/80b9a0a25c5f75e84aefc8f2b293fb1933b154f2
- https://github.com/ansible/ansible/commit/8251d9f4c2bc82632ab992277fcd30ccbf87aa47
- https://github.com/ansible/ansible/commit/ecf99d5e1ff732a7777010facd6c98bb0994605e
- https://github.com/advisories/GHSA-g4mq-6fp5-qwcf (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-5.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-1733?
CVE-2020-1733 is a race condition vulnerability found in Ansible Engine when running a playbook with an unprivileged become user.
What is the severity of CVE-2020-1733?
CVE-2020-1733 has a medium severity rating.
Which versions of Ansible Engine are affected by CVE-2020-1733?
Ansible Engine 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior are affected by CVE-2020-1733.
How can I fix CVE-2020-1733?
To fix CVE-2020-1733, update Ansible Engine to versions 2.7.17, 2.8.11, or 2.9.7.
Where can I find more information about CVE-2020-1733?
You can find more information about CVE-2020-1733 on the Red Hat Bugzilla and GitHub pages.
- collector/redhat-cve
- collector/nvd-index
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- agent/severity
- agent/remedy
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-1733
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-g4mq-6fp5-qwcf
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- agent/event
- collector/github-advisory
- package-manager/redhat
- vendor/redhat
- canonical/redhat ansible
- version/redhat ansible/2.7.16
- version/redhat ansible/2.8.0
- version/redhat ansible/2.9.0
- version/redhat ansible/2.9.5
- canonical/redhat ansible tower
- version/redhat ansible tower/3.3.4
- version/redhat ansible tower/3.3.5
- version/redhat ansible tower/3.4.5
- version/redhat ansible tower/3.5.0
- version/redhat ansible tower/3.5.5
- version/redhat ansible tower/3.6.0
- version/redhat ansible tower/3.6.3
- canonical/redhat cloudforms management engine
- version/redhat cloudforms management engine/5.0
- canonical/redhat openstack
- version/redhat openstack/13
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/10.0
- package-manager/debian
- package-manager/pip