REDHAT-BUG-998223: Race Condition
First published: Sun Aug 18 2013(Updated: )
by default, ansible try to create a ControlMaster file in a predictible location in /tmp. This is vulnerable to a ssh socket injection attack like this : ~ $ sudo ln -s /tmp/ansible-ssh-elspeth.example.org-22-misc /tmp/ansible-ssh-sisay.example.org-22-misc ~ $ ansible -i 'elspeth.example.org,sisay.example.org' all -m shell -u misc -a hostname elspeth.example.org | success | rc=0 >> elspeth.example.org sisay.example.org | success | rc=0 >> elspeth.example.org I also did a test without using root, that's the same. Based on this attack, someone could divert the ssh connexion to another server, make it connect to a server under the control of attacker, and steal configuration file ( with passwords ), or steal password with a fake sudo ( since ansible can also use sudo ) Please note that you need to : - disable selinux # setenforce 0 - disable latest protection from the kernel # sysctl -w fs.protected_symlinks=0 # sysctl -w fs.protected_hardlinks=0 to make sure this work. I didn't found how/where ssh control the socket file for suitability, maybe it should I am not sure what could be a good fix. I do have a patch that put the socket in $XDG_RUNTIME_DIR but it is a very weak mitigation technique that do not work on older platform such as RHEL 6. Another solution would be to make sure the socket is created in specific temporary directory, but this could make the software much slower. And checking if the socket exist first is prone to race condition. Upstream was not contacted yet, and plan to release 1.3 around 2 weeks. Issue is not public ( but quite easy to spot )
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ansible |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/ansible/ansible/blob/devel/lib/ansible/runner/connection_plugins/ssh.py#L59
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=787788&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=787788&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=999621
- https://groups.google.com/forum/#!topic/ansible-project/UVDYW0HGcNg
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1001454
- https://bugzilla.redhat.com/show_bug.cgi?id=998223
Frequently Asked Questions
What is the vulnerability associated with REDHAT-BUG-998223?
REDHAT-BUG-998223 describes a vulnerability in Ansible where it creates a ControlMaster file in a predictable location, allowing for potential SSH socket injection attacks.
What are the potential risks of the REDHAT-BUG-998223 vulnerability?
The vulnerability could allow an attacker to manipulate SSH connections, leading to unauthorized access or command execution on the affected systems.
How do I mitigate the risks of REDHAT-BUG-998223?
To mitigate REDHAT-BUG-998223, it is recommended to restrict access to the /tmp directory and avoid using predictable filenames for ControlMaster files.
What versions of Ansible are affected by REDHAT-BUG-998223?
While the specific versions of Ansible affected by REDHAT-BUG-998223 are not specified, the vulnerability applies to installations that use the default settings of ControlMaster file creation.
Are there any official patches for the REDHAT-BUG-998223 vulnerability?
Currently, there are no specific patches mentioned for REDHAT-BUG-998223, but it is advisable to monitor Ansible's official channels for updates and fixes.
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-4259
- agent/references
- agent/weakness
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/ansible
- canonical/ansible