CVE-2020-1740
Information Disclosure vulnerability in ansible (PyPI)
What is CVE-2020-1740 About?
This vulnerability affects Ansible Engine when using Ansible Vault to edit encrypted files, allowing other local users to read both old and new secrets. The flaw occurs because edited secrets are temporarily stored in an insecurely recreated file descriptor after `mkstemp` is closed. Exploitation is straightforward for a local authenticated attacker.
Affected Software
- ansible
- >=2.8.0a1, <2.8.11
- >=2.9.0a1, <2.9.7
- <2.7.17
Technical Details
When a user executes ansible-vault edit, Ansible Vault creates a temporary file using mkstemp to facilitate the editing process. Crucially, the file descriptor returned by mkstemp is closed before write_data is called. The write_data method then proceeds to delete the file before recreating it with insecure permissions, making the contents readable by other local users on the same computer. This window of insecure file recreation exposes the sensitive encrypted (now decrypted for editing) data, allowing an attacker to read both the original and modified secrets before re-encryption.
What is the Impact of CVE-2020-1740?
Successful exploitation may allow attackers to gain unauthorized access to sensitive information, including encrypted secrets and credentials, potentially leading to privilege escalation or further system compromise.
What is the Exploitability of CVE-2020-1740?
Exploitation is of low complexity and requires local access to the same machine where ansible-vault edit is being executed. Authentication to the system is required. No special privileges are needed beyond those of a standard user capable of reading files within temporary directories, which is often default behavior. This is a local vulnerability. The primary risk factor is the use of ansible-vault edit in a multi-user environment where other users have local access.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-1740?
Available Upgrade Options
- ansible
- <2.7.17 → Upgrade to 2.7.17
- ansible
- >=2.8.0a1, <2.8.11 → Upgrade to 2.8.11
- ansible
- >=2.9.0a1, <2.9.7 → Upgrade to 2.9.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2020-1740
- https://github.com/ansible/ansible
- https://security.gentoo.org/glsa/202006-11
- https://github.com/ansible/ansible/commit/2a563514f070a0a8ba64aebf6bce21194be96c73
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
- https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
- https://github.com/ansible/ansible/issues/67798
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
What are Similar Vulnerabilities to CVE-2020-1740?
Similar Vulnerabilities: CVE-2019-12450 , CVE-2016-7075 , CVE-2016-10706 , CVE-2019-1387 , CVE-2019-12449
