oCERT-2014-004 Ansible input sanitization errors

Description:

The Ansible project is an open source configuration management platform.

The Ansible platform suffers from input sanitization errors that allow arbitrary code execution as well as information leak, in case an attacker is able to control certain playbook variables.

The first vulnerability involves the escalation of a local permission access level into arbitrary code execution. The code execution can be triggered by interpolation of file names maliciously crafted as lookup plugin commands, in combination with its pipe feature.

The second vulnerability concerns the unsafe parsing of action arguments in the face of an attacker controlling variable data (whether fact data, with_fileglob data, or other sources), allowing an attacker to supply their own options to an action. The impact of this is dependent on the action module the attacker targets. For example, an attacker controlling variables passed to the copy or template actions would be able to trigger arbitrary code execution (in addition to simple information leakage) via the validate option's acceptance of arbitrary shell code.

Affected version:

Ansible <= 1.6.6

Fixed version:

Ansible >= 1.6.7

Credit: vulnerability report received from Brian Harring <ferringb AT gmail.com>.

CVE: CVE-2014-4966 (lookup function), CVE-2014-4967 (action arguments)

Timeline:

2014-07-01: vulnerability report received
2014-07-02: contacted Ansible maintainers
2014-07-02: disclosure coordinated on 2014-07-17
2014-07-15: assigned CVEs
2014-07-06: maintainer provides patch for review
2014-07-17: maintainer provides updated patch based on reporter's feedback
2014-07-17: embargo date lifted due to ongoing evaluations of patch effectiveness and additional reporter feedback
2014-07-17: maintainer provides updated patch which provides solutions for additional findings
2014-07-18: disclosure date updated to 2014-07-21
2014-07-18: maintainer provides updated patch for review
2014-07-20: maintainer provides updated patch indicating all reported issues as closed
2014-07-20: contacted affected vendors
2014-07-21: advisory release

References:
http://www.ansible.com