CVE-2016-9587: an unpleasant Ansible vulnerability

The Ansible project is currently posting release candidates for the 2.1.4 and 2.2.1 releases. They fix an important security bug: "CVE-2016-9587 is rated as HIGH in risk, as a compromised remote system being managed via Ansible can lead to commands being run on the Ansible controller (as the user running the ansible or ansible-playbook command)." Until this release is made, it would make sense to be especially careful about running Ansible against systems that might have been compromised.

Update: see this advisory for much more detailed information.

From:		James Cammarata <jcammarata-JjBQs2a79e9BDgjK7y7TUQ-AT-public.gmane.org>
To:		"ansible-project-/JYPxA39Uh5TLH3MbocFFw-AT-public.gmane.org" <ansible-project-/JYPxA39Uh5TLH3MbocFFw-AT-public.gmane.org>, "ansible-devel-/JYPxA39Uh5TLH3MbocFFw-AT-public.gmane.org" <ansible-devel-/JYPxA39Uh5TLH3MbocFFw-AT-public.gmane.org>
Subject:		IMPORTANT - New RCs for Security Bug CVE-2016-9587
Date:		Mon, 9 Jan 2017 10:57:06 -0600
Message-ID:		<CAMFyvFgYBK-Ze4YE5ocxfRVobRCV_WDRmbf8Cj3_dxMMMGJNpA@mail.gmail.com>

Hi all,

Today we are releasing two new release candidates to address CVE-2016-9587,
which we are removing from embargo today:

2.1.4 RC1
2.2.1 RC3

CVE-2016-9587 is rated as HIGH in risk, as a compromised remote system
being managed
via Ansible can lead to commands being run on the Ansible controller (as
the user
running the ansible or ansible-playbook command).

If you have the ability, please test the above release candidates so that
we can get
the final releases out as quickly as possible.

Finally, thanks to the security team at Computest, who did an amazing job
of finding
the flaws and creating an excellent set of tests to reproduce them for us.

Thanks, and let us know if you run into any problems with the above release
candidates!

James Cammarata

Ansible Lead/Sr. Principal Software Engineer
Ansible by Red Hat
twitter: @thejimic, github: jimi-c

-- 
You received this message because you are subscribed to the Google Groups "Ansible Development"
group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ansible-devel+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit https://groups.google.com/d/optout.

CVE-2016-9587: an unpleasant Ansible vulnerability

Posted Jan 12, 2017 0:23 UTC (Thu) by prometheanfire (subscriber, #65683) [Link] (1 responses)

We've determined that ansible 1.9.* isn't vulnerable, though take with a grain of salt.

https://bugs.gentoo.org/show_bug.cgi?id=605342#c3

CVE-2016-9587: an unpleasant Ansible vulnerability

Posted Jan 12, 2017 18:59 UTC (Thu) by prometheanfire (subscriber, #65683) [Link]

And seems I was wrong, wonderful (upstream hasn't patched 1.9.x as far as I can tell)

https://bugs.gentoo.org/show_bug.cgi?id=605342#c4

CVE-2016-9587: an unpleasant Ansible vulnerability

Posted Jan 12, 2017 9:50 UTC (Thu) by misc (subscriber, #73730) [Link] (1 responses)

I am a bit annoyed that people freak out about this one, as no one did react to CVE-2016-8628, which was the same exact issue ( https://bugzilla.redhat.com/show_bug.cgi?id=1388113 / https://github.com/ansible/ansible/pull/15925 ). The only difference being that CVE-2016-8628 got rated as Medium, and this one as High, while that's the same, since the advisory of ComputerTest speak of the filtering that was created as part of CVE-2016-8628 without mentioning it ( cf https://www.computest.nl/advisories/CT-2017-0109_Ansible.txt ).

CVE-2016-9587: an unpleasant Ansible vulnerability

Posted Jan 12, 2017 17:45 UTC (Thu) by raven667 (subscriber, #5198) [Link]

I think they got the relative severity right, IIUC, the place you are running Ansible from must have privileged access to target clients for Ansible to function, so if you compromise the Ansible source, its kind of irrelevant as to which mechanism you use to modify target devices, whether you modify the Ansible config or use the Ansible credentials or muck with fact generation you implicitly have access to do that once you own the Ansible source. You are modifying things laterally within the same security domain to affect a lower security domain. The reverse is not true and that is why it is a higher priority issue, even though the mechanism may be the same, in addition target machines are more exposed to risk generally than the config management source.

CVE-2016-9587: an unpleasant Ansible vulnerability

Posted Jan 13, 2017 13:07 UTC (Fri) by zoobab (guest, #9945) [Link] (1 responses)

Which ansible version is fixed?

CVE-2016-9587: an unpleasant Ansible vulnerability

Posted Feb 21, 2017 3:00 UTC (Tue) by bcoca69 (guest, #114253) [Link]

fixed versions are 2.1.4 and 2.2.1, previous versions (2.0.x and 1.9.x) also are affected but they are not getting patched as they are unsupported and too many changes are required to backport the fix.