CVE-2020-1734
arbitrary command execution vulnerability in ansible (PyPI)
What is CVE-2020-1734 About?
This vulnerability in the Ansible pipe lookup plugin allows for arbitrary command execution when `subprocess.Popen()` is used with `shell=True`. An attacker can overwrite Ansible facts and exploit the unescaped variable to run arbitrary commands on the target system. This is a critical remote code execution vulnerability that, once the facts are overwritten, can be relatively easy to exploit, leading to full system compromise.
Affected Software
- ansible
- <2.8.13
- >=2.10.0a1, <2.10.0rc1
- >=2.9.0a1, <2.9.11
- <2.7.17
Technical Details
The flaw resides within the pipe lookup plugin of Ansible. When this plugin utilizes subprocess.Popen() with the shell=True argument, it opens an avenue for command injection. Specifically, if an attacker can overwrite Ansible facts and a variable used with the pipe lookup plugin is not properly escaped by the quote plugin, the attacker can inject arbitrary commands. These injected commands will then be executed by subprocess.Popen() with shell privileges on the target system, leading to arbitrary code execution. The mechanism involves manipulating the environment variables or facts that feed into the unquoted command string, effectively allowing the attacker to insert their own commands into the execution flow.
What is the Impact of CVE-2020-1734?
Successful exploitation may allow attackers to execute arbitrary commands on the target system, leading to full system compromise, data manipulation, or denial of service.
What is the Exploitability of CVE-2020-1734?
Exploitation requires the ability to overwrite Ansible facts and an understanding of how the pipe lookup plugin processes unescaped variables. This suggests a moderate to high level of complexity, as it involves internal Ansible mechanics. Authentication as a user with write permissions to Ansible facts or variables would likely be required. Privilege requirements would correspond to the context under which Ansible runs the commands. This can be a remote exploitation scenario if the attacker can remotely manipulate Ansible facts or interact with an Ansible control node in a way that allows fact injection. The special conditions include the use of subprocess.Popen() with shell=True and the lack of proper variable escaping. Risk factors increase when untrusted input can influence Ansible facts or variables, and when Ansible is used in environments that allow arbitrary fact modification.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-1734?
Available Upgrade Options
- ansible
- <2.7.17 → Upgrade to 2.7.17
- ansible
- <2.8.13 → Upgrade to 2.8.13
- ansible
- >=2.9.0a1, <2.9.11 → Upgrade to 2.9.11
- ansible
- >=2.10.0a1, <2.10.0rc1 → Upgrade to 2.10.0rc1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ansible/ansible
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-6.yaml
- https://github.com/advisories/GHSA-h39q-95q5-9jfp
- https://github.com/ansible/ansible/commit/bff0724e9eab2770f874e018298f9ab74cc2a78f
- https://github.com/ansible/ansible/issues/70159
- https://access.redhat.com/security/cve/CVE-2020-1734
- https://osv.dev/vulnerability/GHSA-h39q-95q5-9jfp
- https://access.redhat.com/errata/RHBA-2020:0547
- https://github.com/ansible/ansible/issues/67792
- https://github.com/ansible/ansible/commit/4f978af4ca16ad9828ffe42203b9615425195f8b
What are Similar Vulnerabilities to CVE-2020-1734?
Similar Vulnerabilities: CVE-2023-45648 , CVE-2023-42409 , CVE-2023-36054 , CVE-2022-47522 , CVE-2023-27043
