CVE-2018-16859
Information Disclosure vulnerability in ansible (PyPI)
What is CVE-2018-16859 About?
Ansible playbooks on Windows platforms can expose 'become' passwords in plaintext within EventLogs when PowerShell ScriptBlock and Module logging are enabled. This information disclosure allows a local administrator to discover these sensitive passwords. Exploiting this requires local administrative access.
Affected Software
- ansible
- >=2.7.0, <2.7.4
- >=2.6.0a1, <2.6.9
- >=2.7.0a1, <2.7.3
- <2.5.12
Technical Details
When Ansible playbooks are executed on Windows machines, and specific PowerShell logging features such as ScriptBlock logging and Module logging are active, the 'become' passwords used within Ansible tasks are inadvertently captured and written to the Windows Event Logs. This occurs because the PowerShell environment, under these logging settings, records command details, including sensitive parameters like passwords, in cleartext. A local user with administrative privileges on the Windows machine can then access these Event Logs and retrieve the plaintext 'become' passwords, leading to unauthorized credential disclosure.
What is the Impact of CVE-2018-16859?
Successful exploitation may allow attackers to gain unauthorized access to sensitive credentials, potentially leading to privilege escalation or lateral movement within the network.
What is the Exploitability of CVE-2018-16859?
Exploitation of this vulnerability is of low complexity. It requires local access to the Windows machine where Ansible playbooks are executed and administrative privileges on that system to view the Event Logs. No remote access or specific authentication to Ansible itself is necessary for the final password discovery, as the credentials are exposed in local logs. The primary prerequisite is the configuration of PowerShell ScriptBlock logging and Module logging, which often happens in security-conscious environments. The risk factor for this vulnerability increases in environments where local administrators are not fully trusted or shared administrative credentials are used across multiple systems.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-16859?
Available Upgrade Options
- ansible
- <2.5.12 → Upgrade to 2.5.12
- ansible
- >=2.6.0a1, <2.6.9 → Upgrade to 2.6.9
- ansible
- >=2.7.0a1, <2.7.3 → Upgrade to 2.7.3
- ansible
- >=2.7.0, <2.7.4 → Upgrade to 2.7.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ansible/ansible/pull/49142
- https://access.redhat.com/errata/RHSA-2018:3773
- http://www.securityfocus.com/bid/106004
- https://github.com/ansible/ansible
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
- https://access.redhat.com/errata/RHSA-2018:3771
- https://github.com/ansible/ansible/blob/v2.5.13/changelogs/CHANGELOG-v2.5.rst
- https://access.redhat.com/errata/RHSA-2018:3773
- https://access.redhat.com/errata/RHSA-2018:3770
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
What are Similar Vulnerabilities to CVE-2018-16859?
Similar Vulnerabilities: CVE-2023-38545 , CVE-2023-38035 , CVE-2023-37905 , CVE-2023-37609 , CVE-2023-37608
