CVE-2020-1733
Race condition vulnerability in ansible (PyPI)
What is CVE-2020-1733 About?
This race condition flaw in Ansible Engine allows an attacker to gain control of a 'become' user. The vulnerability occurs during the creation of temporary directories with insecure permissions, which can be taken over by an attacker. Exploitation is moderately complex, as it requires precise timing and knowledge of process IDs.
Affected Software
- ansible
- >=2.8.0a1, <2.8.11
- >=2.9.0a1, <2.9.7
- <2.7.17
Technical Details
A race condition flaw exists in Ansible Engine versions 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior. This vulnerability manifests when a playbook is executed with an unprivileged 'become' user. During this process, Ansible attempts to create temporary directories in /var/tmp for module execution. The directories are created using umask 77 && mkdir -p <dir>, which sets permissions but does not fail if the directory already exists. An attacker can pre-create the temporary directory with malicious content or set up a symlink attack. Simultaneously, the attacker can iterate '/proc/<pid>/cmdline' to retrieve the target directory name Ansible intends to use. By combining these, the attacker can win the race, gain control over the temporary directory, and effectively gain control of the 'become' user's session or execute arbitrary code under its privileges.
What is the Impact of CVE-2020-1733?
Successful exploitation may allow attackers to gain control of the 'become' user, leading to privilege escalation, unauthorized access to resources, or arbitrary code execution with elevated permissions.
What is the Exploitability of CVE-2020-1733?
Exploitation of this race condition is of moderate complexity, requiring precise timing and manipulation of the filesystem. The attacker must have local access to the system where Ansible is running and must be an unprivileged user. No authentication to the Ansible system itself is usually required beyond local user access. The attacker needs to monitor processes to identify the target pid and its cmdline to deduce the temporary directory name. This is a local privilege escalation scenario. Risk factors increasing exploitability include environments where Ansible playbooks with 'become' users are frequently executed, and where attackers can easily deploy and run scripts in a timed manner to win the race condition.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-1733?
Available Upgrade Options
- ansible
- <2.7.17 → Upgrade to 2.7.17
- ansible
- >=2.8.0a1, <2.8.11 → Upgrade to 2.8.11
- ansible
- >=2.9.0a1, <2.9.7 → Upgrade to 2.9.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733
- https://github.com/ansible/ansible
- https://security.gentoo.org/glsa/202006-11
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
- https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
- https://www.debian.org/security/2021/dsa-4950
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
- https://github.com/ansible/ansible/commit/8251d9f4c2bc82632ab992277fcd30ccbf87aa47
- https://github.com/ansible/ansible/issues/67791
What are Similar Vulnerabilities to CVE-2020-1733?
Similar Vulnerabilities: CVE-2019-14283 , CVE-2019-5021 , CVE-2021-3156 , CVE-2023-38408 , CVE-2023-2640
