CVE-2020-1753
Security flaw vulnerability in ansible (PyPI)
What is CVE-2020-1753 About?
This security flaw in Ansible Engine leads to the disclosure of sensitive parameters like passwords and tokens. These secrets, instead of being handled securely, are passed via the command line, making them visible in process lists and log files, essentially nullifying security directives. Exploiting this vulnerability is relatively easy as it stems from a configuration oversight rather than complex attack vectors.
Affected Software
- ansible
- >=2.8.0a1, <2.8.12
- <2.7.18
- >=2.7.0a1, <2.7.18
- >=2.9.0a1, <2.9.7
Technical Details
The vulnerability arises in Ansible Engine, specifically affecting Ansible 2.7.x prior to 2.7.17, 2.8.x prior to 2.8.11, and 2.9.x prior to 2.9.7, when it interacts with Kubernetes using the k8s module. Instead of using secure methods like environment variables or input configuration files, sensitive parameters such as passwords and tokens are passed directly to kubectl via the command line. This mechanism causes the secrets to be exposed in the system's process list (e.g., via ps auxw) and to appear in standard output and log files. The no_log directive, typically used with the debug module to prevent sensitive data logging, is ineffective in this scenario, leading to a direct bypass of intended security controls.
What is the Impact of CVE-2020-1753?
Successful exploitation may allow attackers to gain unauthorized access to credentials, sensitive data, and potentially escalate privileges within the affected Kubernetes environment due to the exposure of passwords and tokens.
What is the Exploitability of CVE-2020-1753?
Exploitation of this vulnerability is straightforward, requiring no complex techniques. The attacker needs access to the system where Ansible is being executed or its logs. No authentication is strictly required for the initial discovery if logs are publicly accessible or if the attacker has local user access to the system to view process lists. The access is effectively local to the Ansible execution environment, though the impact stretches to the managed Kubernetes cluster. The primary risk factor is the standard logging and process listing functionality of operating systems, which inadvertently expose the sensitive data. No special conditions are needed beyond the vulnerable Ansible configuration.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-1753?
Available Upgrade Options
- ansible
- >=2.7.0a1, <2.7.18 → Upgrade to 2.7.18
- ansible
- >=2.8.0a1, <2.8.12 → Upgrade to 2.8.12
- ansible
- >=2.9.0a1, <2.9.7 → Upgrade to 2.9.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/advisories/GHSA-86hp-cj9j-33vv
- https://github.com/ansible/ansible/pull/68195
- https://github.com/ansible-collections/kubernetes/pull/51
- https://security.gentoo.org/glsa/202006-11
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
- https://www.debian.org/security/2021/dsa-4950
- https://github.com/ansible-collections/kubernetes
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB
What are Similar Vulnerabilities to CVE-2020-1753?
Similar Vulnerabilities: CVE-2021-3620 , CVE-2019-14846 , CVE-2020-14330 , CVE-2020-1733
