Vulnerabilities > CVE-2018-10875 - Untrusted Search Path vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | Redhat
| 13 |
| Application | 1 | |
| OS | 2 | |
| OS | 1 | |
| OS | 3 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging/Manipulating Configuration File Search Paths This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4396.NASL description Several vulnerabilities have been found in Ansible, a configuration management, deployment, and task execution system : - CVE-2018-10855/ CVE-2018-16876 The no_log task flag wasn last seen 2020-05-31 modified 2019-02-20 plugin id 122321 published 2019-02-20 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122321 title Debian DSA-4396-1 : ansible - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4396. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(122321); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/26"); script_cve_id("CVE-2018-10855", "CVE-2018-10875", "CVE-2018-16837", "CVE-2018-16876", "CVE-2019-3828"); script_xref(name:"DSA", value:"4396"); script_name(english:"Debian DSA-4396-1 : ansible - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been found in Ansible, a configuration management, deployment, and task execution system : - CVE-2018-10855/ CVE-2018-16876 The no_log task flag wasn't honored, resulting in an information leak. - CVE-2018-10875 ansible.cfg was read from the current working directory. - CVE-2018-16837 The user module leaked parameters passed to ssh-keygen to the process environment. - CVE-2019-3828 The fetch module was susceptible to path traversal." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-10855" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-16876" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-10875" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-16837" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2019-3828" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/ansible" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/ansible" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4396" ); script_set_attribute( attribute:"solution", value: "Upgrade the ansible packages. For the stable distribution (stretch), these problems have been fixed in version 2.2.1.0-2+deb9u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-10875"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ansible"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/03"); script_set_attribute(attribute:"patch_publication_date", value:"2019/02/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/20"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"9.0", prefix:"ansible", reference:"2.2.1.0-2+deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2166.NASL description An update for ansible is now available for Ansible Engine 2.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. The following packages have been upgraded to a newer upstream version: ansible (2.6.1) Security fix(es) : * ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution (CVE-2018-10874) * ansible: ansible.cfg is being read from current working directory allowing possible code execution (CVE-2018-10875) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Brian Coca (Red Hat), and Michael Scherer (OSAS). Bug Fix(es) : * Fix junos_config confirm commit timeout issue (https://github.com/ansible/ ansible/pull/41527) * file module - The touch subcommand had its diff output broken during the 2.6.x development cycle. The patch to fix that broke check mode. This is now fixed (https://github.com/ansible/ansible/issues/42111) * inventory manager - This fixes required options being populated before the inventory config file is read, so the required options may be set in the config file. * nsupdate - allow hmac-sha384 https://github.com/ansible/ansible/pull/42209 * win_domain - fixes typo in one of the AD cmdlets https://github.com/ansible /ansible/issues/41536 * win_group_membership - uses the internal Ansible SID conversion logic and uses that when comparing group membership instead of the name https:// github.com/ansible/ansible/issues/40649 last seen 2020-06-02 modified 2018-07-12 plugin id 111030 published 2018-07-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111030 title RHEL 7 : ansible (RHSA-2018:2166) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:2166. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(111030); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01"); script_cve_id("CVE-2018-10874", "CVE-2018-10875"); script_xref(name:"RHSA", value:"2018:2166"); script_name(english:"RHEL 7 : ansible (RHSA-2018:2166)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "An update for ansible is now available for Ansible Engine 2.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. The following packages have been upgraded to a newer upstream version: ansible (2.6.1) Security fix(es) : * ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution (CVE-2018-10874) * ansible: ansible.cfg is being read from current working directory allowing possible code execution (CVE-2018-10875) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Brian Coca (Red Hat), and Michael Scherer (OSAS). Bug Fix(es) : * Fix junos_config confirm commit timeout issue (https://github.com/ansible/ ansible/pull/41527) * file module - The touch subcommand had its diff output broken during the 2.6.x development cycle. The patch to fix that broke check mode. This is now fixed (https://github.com/ansible/ansible/issues/42111) * inventory manager - This fixes required options being populated before the inventory config file is read, so the required options may be set in the config file. * nsupdate - allow hmac-sha384 https://github.com/ansible/ansible/pull/42209 * win_domain - fixes typo in one of the AD cmdlets https://github.com/ansible /ansible/issues/41536 * win_group_membership - uses the internal Ansible SID conversion logic and uses that when comparing group membership instead of the name https:// github.com/ansible/ansible/issues/40649" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:2166" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-10874" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-10875" ); script_set_attribute( attribute:"solution", value:"Update the affected ansible package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ansible"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/02"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2018:2166"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (! (rpm_exists(release:"RHEL7", rpm:"ansible-2.6"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "Red Hat Ansible 2.6"); if (rpm_check(release:"RHEL7", reference:"ansible-2.6.1-1.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ansible"); } }NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-1125.NASL description This update for ansible to version 2.7.8 fixes the following issues : Security issues fixed: 	 - CVE-2018-16837: Fixed an information leak in user module (bsc#1112959). - CVE-2018-16859: Fixed an issue which clould allow logging of password in plaintext in Windows powerShell (bsc#1116587). - CVE-2019-3828: Fixed a path traversal vulnerability in fetch module (bsc#1126503). - CVE-2018-10875: Fixed a potential code execution in ansible.cfg (bsc#1099808). - CVE-2018-16876: Fixed an issue which could allow information disclosure in vvv+ mode with no_log on (bsc#1118896). Other issues addressed : - prepare update to 2.7.8 for multiple releases (boo#1102126, boo#1109957) Release notes: https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELO G-v2.7.rst#id1 last seen 2020-05-31 modified 2019-04-03 plugin id 123669 published 2019-04-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123669 title openSUSE Security Update : ansible (openSUSE-2019-1125) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2019-1125. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(123669); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/26"); script_cve_id("CVE-2018-10875", "CVE-2018-16837", "CVE-2018-16859", "CVE-2018-16876", "CVE-2019-3828"); script_name(english:"openSUSE Security Update : ansible (openSUSE-2019-1125)"); script_summary(english:"Check for the openSUSE-2019-1125 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for ansible to version 2.7.8 fixes the following issues : Security issues fixed: 	 - CVE-2018-16837: Fixed an information leak in user module (bsc#1112959). - CVE-2018-16859: Fixed an issue which clould allow logging of password in plaintext in Windows powerShell (bsc#1116587). - CVE-2019-3828: Fixed a path traversal vulnerability in fetch module (bsc#1126503). - CVE-2018-10875: Fixed a potential code execution in ansible.cfg (bsc#1099808). - CVE-2018-16876: Fixed an issue which could allow information disclosure in vvv+ mode with no_log on (bsc#1118896). Other issues addressed : - prepare update to 2.7.8 for multiple releases (boo#1102126, boo#1109957) Release notes: https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELO G-v2.7.rst#id1" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1099808" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1102126" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1109957" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1112959" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1116587" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118896" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1126503" ); # https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELOG-v2.7.rst#id1 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?38ee3bd6" ); script_set_attribute( attribute:"solution", value:"Update the affected ansible package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-10875"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ansible"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/13"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if ( rpm_check(release:"SUSE15.0", reference:"ansible-2.7.8-lp150.2.3.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ansible"); }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4072-1.NASL description It was discovered that Ansible failed to properly handle sensitive information. A local attacker could use those vulnerabilities to extract them. (CVE-2017-7481) (CVE-2018-10855) (CVE-2018-16837) (CVE-2018-16876) (CVE-2019-10156) It was discovered that Ansible could load configuration files from the current working directory containing crafted commands. An attacker could run arbitrary code as result. (CVE-2018-10874) (CVE-2018-10875) It was discovered that Ansible fetch module had a path traversal vulnerability. A local attacker could copy and overwrite files outside of the specified destination. (CVE-2019-3828). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-31 modified 2019-07-25 plugin id 127043 published 2019-07-25 reporter Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127043 title Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : ansible vulnerabilities (USN-4072-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-4072-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(127043); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/26"); script_cve_id("CVE-2017-7481", "CVE-2018-10855", "CVE-2018-10874", "CVE-2018-10875", "CVE-2018-16837", "CVE-2018-16876", "CVE-2019-10156", "CVE-2019-3828"); script_xref(name:"USN", value:"4072-1"); script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : ansible vulnerabilities (USN-4072-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "It was discovered that Ansible failed to properly handle sensitive information. A local attacker could use those vulnerabilities to extract them. (CVE-2017-7481) (CVE-2018-10855) (CVE-2018-16837) (CVE-2018-16876) (CVE-2019-10156) It was discovered that Ansible could load configuration files from the current working directory containing crafted commands. An attacker could run arbitrary code as result. (CVE-2018-10874) (CVE-2018-10875) It was discovered that Ansible fetch module had a path traversal vulnerability. A local attacker could copy and overwrite files outside of the specified destination. (CVE-2019-3828). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/4072-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected ansible package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-10875"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ansible"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/02"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/25"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(16\.04|18\.04|19\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04 / 19.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"16.04", pkgname:"ansible", pkgver:"2.0.0.2-2ubuntu1.3")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"ansible", pkgver:"2.5.1+dfsg-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"19.04", pkgname:"ansible", pkgver:"2.7.8+dfsg-1ubuntu0.19.04.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ansible"); }NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1923.NASL description Several vulnerabilities were discovered in Ansible, a configuration management, deployment, and task execution system. CVE-2015-3908 A potential man-in-the-middle attack associated with insusfficient X.509 certificate verification. Ansible did not verify that the server hostname matches a domain name in the subject last seen 2020-06-01 modified 2020-06-02 plugin id 128881 published 2019-09-17 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128881 title Debian DLA-1923-1 : ansible security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1923-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(128881); script_version("1.2"); script_cvs_date("Date: 2019/12/27"); script_cve_id("CVE-2015-3908", "CVE-2015-6240", "CVE-2018-10875", "CVE-2019-10156"); script_bugtraq_id(75921); script_name(english:"Debian DLA-1923-1 : ansible security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities were discovered in Ansible, a configuration management, deployment, and task execution system. CVE-2015-3908 A potential man-in-the-middle attack associated with insusfficient X.509 certificate verification. Ansible did not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. CVE-2015-6240 A symlink attack that allows local users to escape a restricted environment (chroot or jail) via a symlink attack. CVE-2018-10875 A fix potential arbitrary code execution resulting from reading ansible.cfg from a world-writable current working directory. This condition now causes ansible to emit a warning and ignore the ansible.cfg in the world-writable current working directory. CVE-2019-10156 Information disclosure through unexpected variable substitution. For Debian 8 'Jessie', these problems have been fixed in version 1.7.2+dfsg-2+deb8u2. We recommend that you upgrade your ansible packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/ansible" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ansible"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ansible-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ansible-fireball"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ansible-node-fireball"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/08/12"); script_set_attribute(attribute:"patch_publication_date", value:"2019/09/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"ansible", reference:"1.7.2+dfsg-2+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"ansible-doc", reference:"1.7.2+dfsg-2+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"ansible-fireball", reference:"1.7.2+dfsg-2+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"ansible-node-fireball", reference:"1.7.2+dfsg-2+deb8u2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2018-53790A5236.NASL description Update to ansible 2.6.1 bugfix release. Fixes also 2 CVEs: CVE-2018-10874 and CVE-2018-10875 See https://github.com/ansible/ansible/blob/stable-2.6/changelogs/CHANGELO G-v2.6.rst for full list of changes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-07-24 plugin id 111240 published 2018-07-24 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111240 title Fedora 27 : ansible (2018-53790a5236) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2018-53790a5236. # include("compat.inc"); if (description) { script_id(111240); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2018-10874", "CVE-2018-10875"); script_xref(name:"FEDORA", value:"2018-53790a5236"); script_name(english:"Fedora 27 : ansible (2018-53790a5236)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to ansible 2.6.1 bugfix release. Fixes also 2 CVEs: CVE-2018-10874 and CVE-2018-10875 See https://github.com/ansible/ansible/blob/stable-2.6/changelogs/CHANGELO G-v2.6.rst for full list of changes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-53790a5236" ); # https://github.com/ansible/ansible/blob/stable-2.6/changelogs/CHANGELOG-v2.6.rst script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?bcd9b701" ); script_set_attribute( attribute:"solution", value:"Update the affected ansible package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:ansible"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/02"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^27([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC27", reference:"ansible-2.6.1-1.fc27")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ansible"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2150.NASL description An update for ansible is now available for Ansible Engine 2.5. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. The following packages have been upgraded to a newer upstream version: ansible (2.5.6) Security fix(es) : * ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution (CVE-2018-10874) * ansible: ansible.cfg is being read from current working directory allowing possible code execution (CVE-2018-10875) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Brian Coca (Red Hat), and Michael Scherer (OSAS). Bug Fix(es) : * Restore module_utils.basic.BOOLEANS variable for backwards compatibility with the module API in older ansible releases. * lineinfile - add warning when using an empty regexp (https://github.com/ ansible/ansible/issues/29443) * apt - fix apt-mark on debian6 (https://github.com/ansible/ansible/pull/ 41530) * copy module - fixed recursive copy with relative paths (https://github.com/ ansible/ansible/pull/40166) * correct debug display for all cases https://github.com/ansible/ansible/pull /41331 * eos_l2_interface - fix eapi (https://github.com/ansible/ansible/pull/42270) * group_by - support implicit localhost (https://github.com/ansible/ansible/ pull/41860) * influxdb_query - fixed the use of the common return last seen 2020-06-02 modified 2018-07-12 plugin id 111026 published 2018-07-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111026 title RHEL 7 : ansible (RHSA-2018:2150) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:2150. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(111026); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01"); script_cve_id("CVE-2018-10874", "CVE-2018-10875"); script_xref(name:"RHSA", value:"2018:2150"); script_name(english:"RHEL 7 : ansible (RHSA-2018:2150)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for ansible is now available for Ansible Engine 2.5. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. The following packages have been upgraded to a newer upstream version: ansible (2.5.6) Security fix(es) : * ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution (CVE-2018-10874) * ansible: ansible.cfg is being read from current working directory allowing possible code execution (CVE-2018-10875) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Brian Coca (Red Hat), and Michael Scherer (OSAS). Bug Fix(es) : * Restore module_utils.basic.BOOLEANS variable for backwards compatibility with the module API in older ansible releases. * lineinfile - add warning when using an empty regexp (https://github.com/ ansible/ansible/issues/29443) * apt - fix apt-mark on debian6 (https://github.com/ansible/ansible/pull/ 41530) * copy module - fixed recursive copy with relative paths (https://github.com/ ansible/ansible/pull/40166) * correct debug display for all cases https://github.com/ansible/ansible/pull /41331 * eos_l2_interface - fix eapi (https://github.com/ansible/ansible/pull/42270) * group_by - support implicit localhost (https://github.com/ansible/ansible/ pull/41860) * influxdb_query - fixed the use of the common return 'results' caused an unexpected fault. The return is renamed to 'query_results' * junos_config - fix confirm commit timeout issue (https://github.com/ansible /ansible/pull/41527) * lineinfile - fix insertbefore when used with BOF to not insert duplicate lines (https://github.com/ansible/ansible/issues/38219) * nsupdate - allow hmac-sha384 https://github.com/ansible/ansible/pull/42209 * nxos_linkagg - fix issue (https://github.com/ansible/ansible/pull/41550). * nxos_vxlan_vtep_vni - fix issue (https://github.com/ansible/ansible/pull/ 42240) * uses correct conn info for reset_connection https://github.com/ansible/ ansible/issues/27520 * correct service facts systemd detection of state https://github.com/ansible /ansible/issues/40809 * correctly check hostvars for vars term https://github.com/ansible/ansible/ pull/41819 * vyos_vlan - fix aggregate configuration issues (https://github.com/ansible/ ansible/pull/41638) * win_domain - fixes typo in one of the AD cmdlets https://github.com/ansible /ansible/issues/41536 * win_iis_webapppool - redirect some module output to null so Ansible can read the output JSON https://github.com/ansible/ansible/issues/40874 * win_updates - Fixed issue where running win_updates on async fails without any error * winrm - ensure pexpect is set to not echo the input on a failure and have a manual sanity check afterwards https://github.com/ansible/ansible/issues/ 41865" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:2150" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-10874" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-10875" ); script_set_attribute( attribute:"solution", value:"Update the affected ansible and / or ansible-doc packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ansible"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ansible-doc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/02"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2018:2150"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (! (rpm_exists(release:"RHEL7", rpm:"ansible-2.5"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "Red Hat Ansible 2.5"); if (rpm_check(release:"RHEL7", reference:"ansible-2.5.6-1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"ansible-doc-2.5.6-1.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ansible / ansible-doc"); } }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2321.NASL description An update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host last seen 2020-06-02 modified 2018-08-02 plugin id 111515 published 2018-08-02 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111515 title RHEL 7 : Virtualization (RHSA-2018:2321) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:2321. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(111515); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01"); script_cve_id("CVE-2018-10874", "CVE-2018-10875"); script_xref(name:"RHSA", value:"2018:2321"); script_name(english:"RHEL 7 : Virtualization (RHSA-2018:2321)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. The ovirt-node-ng packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. The following packages have been upgraded to a later upstream version: imgbased (1.0.22), redhat-release-virtualization-host (4.2), redhat-virtualization-host (4.2). (BZ#1596545, BZ#1607722, BZ#1607723) Security Fix(es) : * ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution (CVE-2018-10874) * ansible: ansible.cfg is being read from current working directory allowing possible code execution (CVE-2018-10875) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Michael Scherer (OSAS) for reporting CVE-2018-10874. The CVE-2018-10875 issue was discovered by Brian Coca (Red Hat)." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:2321" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-10874" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-10875" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:imgbased"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-imgbased"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:redhat-release-virtualization-host"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:redhat-virtualization-host-image-update"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:redhat-virtualization-host-image-update-placeholder"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/02"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/02"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2018:2321"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (! (rpm_exists(release:"RHEL7", rpm:"redhat-virtualization-host-image-update-4.2"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "Virtualization"); if (rpm_check(release:"RHEL7", reference:"imgbased-1.0.22-1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"python-imgbased-1.0.22-1.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"redhat-release-virtualization-host-4.2-5.0.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"redhat-virtualization-host-image-update-4.2-20180724.0.el7_5")) flag++; if (rpm_check(release:"RHEL7", reference:"redhat-virtualization-host-image-update-placeholder-4.2-5.0.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "imgbased / python-imgbased / redhat-release-virtualization-host / etc"); } }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2151.NASL description An update for ansible is now available for Ansible Engine 2. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. The following packages have been upgraded to a newer upstream version: ansible (2.6.1) Security fix(es) : * ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution (CVE-2018-10874) * ansible: ansible.cfg is being read from current working directory allowing possible code execution (CVE-2018-10875) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Brian Coca (Red Hat), and Michael Scherer (OSAS). Bug Fix(es) : * Fix junos_config confirm commit timeout issue (https://github.com/ansible/ ansible/pull/41527) * file module - The touch subcommand had its diff output broken during the 2.6.x development cycle. The patch to fix that broke check mode. This is now fixed (https://github.com/ansible/ansible/issues/42111) * inventory manager - This fixes required options being populated before the inventory config file is read, so the required options may be set in the config file. * nsupdate - allow hmac-sha384 https://github.com/ansible/ansible/pull/42209 * win_domain - fixes typo in one of the AD cmdlets https://github.com/ansible /ansible/issues/41536 * win_group_membership - uses the internal Ansible SID conversion logic and uses that when comparing group membership instead of the name https:// github.com/ansible/ansible/issues/40649 last seen 2020-06-02 modified 2018-07-12 plugin id 111027 published 2018-07-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111027 title RHEL 7 : ansible (RHSA-2018:2151) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:2151. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(111027); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01"); script_cve_id("CVE-2018-10874", "CVE-2018-10875"); script_xref(name:"RHSA", value:"2018:2151"); script_name(english:"RHEL 7 : ansible (RHSA-2018:2151)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "An update for ansible is now available for Ansible Engine 2. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. The following packages have been upgraded to a newer upstream version: ansible (2.6.1) Security fix(es) : * ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution (CVE-2018-10874) * ansible: ansible.cfg is being read from current working directory allowing possible code execution (CVE-2018-10875) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Brian Coca (Red Hat), and Michael Scherer (OSAS). Bug Fix(es) : * Fix junos_config confirm commit timeout issue (https://github.com/ansible/ ansible/pull/41527) * file module - The touch subcommand had its diff output broken during the 2.6.x development cycle. The patch to fix that broke check mode. This is now fixed (https://github.com/ansible/ansible/issues/42111) * inventory manager - This fixes required options being populated before the inventory config file is read, so the required options may be set in the config file. * nsupdate - allow hmac-sha384 https://github.com/ansible/ansible/pull/42209 * win_domain - fixes typo in one of the AD cmdlets https://github.com/ansible /ansible/issues/41536 * win_group_membership - uses the internal Ansible SID conversion logic and uses that when comparing group membership instead of the name https:// github.com/ansible/ansible/issues/40649" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:2151" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-10874" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-10875" ); script_set_attribute( attribute:"solution", value:"Update the affected ansible package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ansible"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/02"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2018:2151"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (! (rpm_exists(release:"RHEL7", rpm:"ansible-2.6"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "Red Hat Ansible 2.6"); if (rpm_check(release:"RHEL7", reference:"ansible-2.6.1-1.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ansible"); } }NASL family Fedora Local Security Checks NASL id FEDORA_2018-1D2BC76093.NASL description Update to ansible 2.6.1 bugfix release. Fixes also 2 CVEs: CVE-2018-10874 and CVE-2018-10875 See https://github.com/ansible/ansible/blob/stable-2.6/changelogs/CHANGELO G-v2.6.rst for full list of changes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120275 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120275 title Fedora 28 : ansible (2018-1d2bc76093) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2152.NASL description An update for ansible is now available for Ansible Engine 2.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. The following packages have been upgraded to a newer upstream version: ansible (2.4.6) Security fix(es) : * ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution (CVE-2018-10874) * ansible: ansible.cfg is being read from current working directory allowing possible code execution (CVE-2018-10875) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Brian Coca (Red Hat), and Michael Scherer (OSAS). last seen 2020-06-02 modified 2018-07-12 plugin id 111028 published 2018-07-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111028 title RHEL 7 : ansible (RHSA-2018:2152)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||
| rpms |
|
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10875
- https://access.redhat.com/errata/RHSA-2018:2166
- https://access.redhat.com/errata/RHSA-2018:2152
- https://access.redhat.com/errata/RHSA-2018:2151
- https://access.redhat.com/errata/RHSA-2018:2150
- https://access.redhat.com/errata/RHSA-2018:2321
- http://www.securitytracker.com/id/1041396
- https://access.redhat.com/errata/RHSA-2018:2585
- https://access.redhat.com/errata/RHBA-2018:3788
- https://access.redhat.com/errata/RHSA-2019:0054
- https://www.debian.org/security/2019/dsa-4396
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
- https://usn.ubuntu.com/4072-1/
- https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html