SB2020022024 - Multiple vulnerabilities in Ansible

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2014-4658)

The vulnerability allows a local authenticated user to gain access to sensitive information.

The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file.

2) Insufficiently protected credentials (CVE-ID: CVE-2014-4659)

The vulnerability allows a local authenticated user to gain access to sensitive information.

Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format.

3) Insufficiently protected credentials (CVE-ID: CVE-2014-4660)

The vulnerability allows a local authenticated user to gain access to sensitive information.

Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format.

Remediation

Install update from vendor's website.

References

• https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md
• https://www.securityfocus.com/bid/68233
• https://www.securityfocus.com/bid/68234
• https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08
• https://security-tracker.debian.org/tracker/CVE-2014-4660
• https://www.openwall.com/lists/oss-security/2014/06/26/19
• https://www.securityfocus.com/bid/68231