#2014-004 Ansible input sanitization errors Description: The Ansible project is an open source configuration management platform. The Ansible platform suffers from input sanitization errors that allow arbitrary code execution as well as information leak, in case an attacker is able to control certain playbook variables. The first vulnerability involves the escalation of a local permission access level into arbitrary code execution. The code execution can be triggered by interpolation of file names maliciously crafted as lookup plugin commands, in combination with its pipe feature. The second vulnerability concerns the unsafe parsing of action arguments in the face of an attacker controlling variable data (whether fact data, with_fileglob data, or other sources), allowing an attacker to supply their own options to an action. The impact of this is dependent on the action module the attacker targets. For example, an attacker controlling variables passed to the copy or template actions would be able to trigger arbitrary code execution (in addition to simple information leakage) via the validate option's acceptance of arbitrary shell code. Affected version: Ansible <= 1.6.6 Fixed version: Ansible >= 1.6.7 Credit: vulnerability report received from Brian Harring . CVE: CVE-2014-4966 (lookup function), CVE-2014-4967 (action arguments) Timeline: 2014-07-01: vulnerability report received 2014-07-02: contacted Ansible maintainers 2014-07-02: disclosure coordinated on 2014-07-17 2014-07-15: assigned CVEs 2014-07-06: maintainer provides patch for review 2014-07-17: maintainer provides updated patch based on reporter's feedback 2014-07-17: embargo date lifted due to ongoing evaluations of patch effectiveness and additional reporter feedback 2014-07-17: maintainer provides updated patch which provides solutions for additional findings 2014-07-18: disclosure date updated to 2014-07-21 2014-07-18: maintainer provides updated patch for review 2014-07-20: maintainer provides updated patch indicating all reported issues as closed 2014-07-21: advisory release References: http://www.ansible.com Permalink: http://www.ocert.org/advisories/ocert-2014-004.html -- Andrea Barisani | Founder & Project Coordinator oCERT | OSS Computer Security Incident Response Team http://www.ocert.org 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"