CVE-2020-1733: Race Condition
First published: Tue Feb 11 2020(Updated: )
A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p <dir>"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc/<pid>/cmdline'.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ansible-engine | <2.7.17 | 2.7.17 |
| redhat/ansible-engine | <2.8.11 | 2.8.11 |
| redhat/ansible-engine | <2.9.7 | 2.9.7 |
| redhat/ansible | <0:2.7.17-1.el7ae | 0:2.7.17-1.el7ae |
| redhat/ansible | <0:2.8.11-1.el7ae | 0:2.8.11-1.el7ae |
| redhat/ansible | <0:2.8.11-1.el8ae | 0:2.8.11-1.el8ae |
| redhat/ansible | <0:2.9.7-1.el7ae | 0:2.9.7-1.el7ae |
| redhat/ansible | <0:2.9.7-1.el8ae | 0:2.9.7-1.el8ae |
| Redhat Ansible | <=2.7.16 | |
| Redhat Ansible | >=2.8.0<2.8.8 | |
| Redhat Ansible | >=2.9.0<=2.9.5 | |
| Redhat Ansible Tower | <=3.3.4 | |
| Redhat Ansible Tower | >=3.3.5<=3.4.5 | |
| Redhat Ansible Tower | >=3.5.0<=3.5.5 | |
| Redhat Ansible Tower | >=3.6.0<=3.6.3 | |
| Redhat Cloudforms Management Engine | =5.0 | |
| Redhat Openstack | =13 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =10.0 | |
| debian/ansible | 2.7.7+dfsg-1+deb10u1 2.7.7+dfsg-1+deb10u2 2.10.7+merged+base+2.10.8+dfsg-1 7.3.0+dfsg-1 7.7.0+dfsg-3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733
- https://github.com/ansible/ansible/issues/67791
- https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
- https://security.gentoo.org/glsa/202006-11
- https://www.debian.org/security/2021/dsa-4950
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1805342
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1805341
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1807873
- https://access.redhat.com/errata/RHSA-2020:1541
- https://access.redhat.com/errata/RHSA-2020:1542
- https://access.redhat.com/errata/RHSA-2020:1543
- https://access.redhat.com/errata/RHSA-2020:1544
- https://access.redhat.com/security/cve/cve-2020-1733
- https://www.kernel.org/doc/Documentation/filesystems/proc.txt
- https://unix.stackexchange.com/questions/584054/why-procfs-mount-option-only-working-on-remount
- https://patchwork.kernel.org/patch/11310217/
- https://bugzilla.redhat.com/show_bug.cgi?id=1801735
- https://www.cve.org/CVERecord?id=CVE-2020-1733 https://nvd.nist.gov/vuln/detail/CVE-2020-1733
- https://github.com/ansible/ansible/pull/68921
- https://github.com/ansible/ansible/commit/8077d8e40148fe77e2393caa5f2b2ea855149d63
- https://security-tracker.debian.org/tracker/CVE-2020-1733
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-1733?
CVE-2020-1733 is a race condition vulnerability found in Ansible Engine when running a playbook with an unprivileged become user.
What is the severity of CVE-2020-1733?
CVE-2020-1733 has a medium severity rating.
Which versions of Ansible Engine are affected by CVE-2020-1733?
Ansible Engine 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior are affected by CVE-2020-1733.
How can I fix CVE-2020-1733?
To fix CVE-2020-1733, update Ansible Engine to versions 2.7.17, 2.8.11, or 2.9.7.
Where can I find more information about CVE-2020-1733?
You can find more information about CVE-2020-1733 on the Red Hat Bugzilla and GitHub pages.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-1733
- agent/software-canonical-lookup
- collector/redhat-cve
- collector/security-tracker-debian
- vendor/redhat
- canonical/redhat ansible
- version/redhat ansible/2.7.16
- version/redhat ansible/2.8.0
- version/redhat ansible/2.9.0
- version/redhat ansible/2.9.5
- canonical/redhat ansible tower
- version/redhat ansible tower/3.3.4
- version/redhat ansible tower/3.3.5
- version/redhat ansible tower/3.4.5
- version/redhat ansible tower/3.5.0
- version/redhat ansible tower/3.5.5
- version/redhat ansible tower/3.6.0
- version/redhat ansible tower/3.6.3
- canonical/redhat cloudforms management engine
- version/redhat cloudforms management engine/5.0
- canonical/redhat openstack
- version/redhat openstack/13
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/10.0
- package-manager/redhat
- package-manager/debian