CVE-2020-10729
insufficiently random values vulnerability in ansible (PyPI)
What is CVE-2020-10729 About?
A flaw in Ansible's use of insufficiently random values causes two password lookups of the same length to generate identical values due to template caching. This vulnerability can lead to the exposure of all passwords for a given file. Exploitation depends on the use of specific password lookup mechanisms and template caching behavior.
Affected Software
Technical Details
The vulnerability stems from Ansible's templating engine and its caching mechanism when generating random passwords. Specifically, when the random_password lookup plugin is used multiple times within the same template for passwords of the same length, and due to the template caching action, the generation process reuses a previously generated 'random' value rather than producing a new, distinct random string. This results in the same 'random' password being generated for all instances with the same length within the cached template context, effectively exposing all intended unique passwords as being identical and thus compromised if one is known.
What is the Impact of CVE-2020-10729?
Successful exploitation may allow attackers to discover multiple intended unique passwords, leading to widespread credential compromise and unauthorized access to various systems or services.
What is the Exploitability of CVE-2020-10729?
Exploitation of this vulnerability has moderate complexity. It requires an attacker to be aware of the specific use of the random_password lookup with identical length parameters within Ansible templates that are subject to caching. The attacker would also need to gain access to one of the generated passwords to deduce all others from the same file. Authentication to the Ansible system or access to its output/logs would be necessary to identify the generated passwords. This is primarily a local vulnerability if the attacker has access to Ansible's execution environment or logs, potentially becoming remote if output is exposed. The key constraint is the specific combination of Ansible features and template caching behavior that leads to the insufficient randomness.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-10729?
Available Upgrade Options
- ansible
- <2.9.6 → Upgrade to 2.9.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ansible/ansible/issues/34144
- https://github.com/ansible/ansible/blob/v2.9.6/changelogs/CHANGELOG-v2.9.rst
- https://www.debian.org/security/2021/dsa-4950
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2021-105.yaml
- https://bugzilla.redhat.com/show_bug.cgi?id=1831089
- https://bugzilla.redhat.com/show_bug.cgi?id=1831089
- https://github.com/ansible/ansible/issues/34144
- https://github.com/ansible/ansible/pull/67429
- https://github.com/ansible/ansible
- https://osv.dev/vulnerability/GHSA-r6h7-5pq2-j77h
What are Similar Vulnerabilities to CVE-2020-10729?
Similar Vulnerabilities: CVE-2023-48766 , CVE-2023-48765 , CVE-2023-48764 , CVE-2023-48763 , CVE-2023-48762
