Vulnerabilities > CVE-2019-14846 - Improper Output Neutralization for Logs vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Web Logs Tampering Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
- Log Injection-Tampering-Forging This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing him to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-513.NASL description This update for ansible to version 2.9.6 fixes the following issues : Security issues fixed : - CVE-2019-14904: Fixed a vulnerability in solaris_zone module via crafted solaris zone (boo#1157968). - CVE-2019-14905: Fixed an issue where malicious code could craft filename in nxos_file_copy module (boo#1157969). - CVE-2019-14864: Fixed Splunk and Sumologic callback plugins leak sensitive data in logs (boo#1154830). - CVE-2019-14846: Fixed secrets disclosure on logs due to display is hardcoded to DEBUG level (boo#1153452) - CVE-2019-14856: Fixed insufficient fix for CVE-2019-10206 (boo#1154232) - CVE-2019-14858: Fixed data in the sub parameter fields that will not be masked and will be displayed when run with increased verbosity (boo#1154231) - CVE-2019-10206: ansible-playbook -k and ansible cli tools prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them. (boo#1142690) - CVE-2019-10217: Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks. (boo#1144453) last seen 2020-04-17 modified 2020-04-14 plugin id 135454 published 2020-04-14 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135454 title openSUSE Security Update : ansible (openSUSE-2020-513) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-3203.NASL description An update is now available for Ansible Engine 2.8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. The following packages have been upgraded to a newer upstream version: ansible (2.8.6) Bug Fix(es) : * ansible: incomplete fix for CVE-2019-10206 (CVE-2019-14856) * ansible: sub parameters marked as no_log are not masked in certain failure scenarios (CVE-2019-14858) * ansible: secrets disclosed on logs when no_log enabled (CVE-2019-14846) See : https://github.com/ansible/ansible/blob/v2.8.6/changelogs/CHANGELOG-v2 .8.rst for details on bug fixes in this release. last seen 2020-06-01 modified 2020-06-02 plugin id 130332 published 2019-10-28 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130332 title RHEL 7 / 8 : Ansible (RHSA-2019:3203) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2202.NASL description Several vulnerabilities were discovered in Ansible, a configuration management, deployment, and task execution system. CVE-2019-14846 Ansible was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process. CVE-2020-1733 A race condition flaw was found when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with last seen 2020-06-06 modified 2020-05-07 plugin id 136367 published 2020-05-07 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136367 title Debian DLA-2202-1 : ansible security update NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-3201.NASL description An update is now available for Ansible Engine 2.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. The following packages have been upgraded to a newer upstream version: ansible (2.6.20) Bug Fix(es) : * ansible: Incomplete fix for CVE-2019-10206 (CVE-2019-14856) * ansible: sub parameters marked as no_log are not masked in certain failure scenarios (CVE-2019-14858) * ansible: secrets disclosed on logs when no_log enabled (CVE-2019-14846) See: https://github.com/ansible/ansible/blob/v2.6.20/changelogs/ CHANGELOG-v2.6.rst for details on bug fixes in this release. last seen 2020-06-01 modified 2020-06-02 plugin id 130330 published 2019-10-28 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130330 title RHEL 7 : Ansible (RHSA-2019:3201) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-3202.NASL description An update is now available for Ansible Engine 2.7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. The following packages have been upgraded to a newer upstream version: ansible (2.7.14) Bug Fix(es) : * ansible: Incomplete fix for CVE-2019-10206 (CVE-2019-14856) * ansible: sub parameters marked as no_log are not masked in certain failure scenarios (CVE-2019-14858) * ansible: secrets disclosed on logs when no_log enabled (CVE-2019-14846) See: https://github.com/ansible/ansible/blob/v2.7.14/changelogs/CHANGELOG-v 2.7.rst for details on bug fixes in this release. last seen 2020-06-01 modified 2020-06-02 plugin id 130331 published 2019-10-28 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130331 title RHEL 7 : Ansible (RHSA-2019:3202)
Redhat
| advisories |
| ||||||||||||||||||||
| rpms |
|
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846
- https://github.com/ansible/ansible/pull/63366
- https://access.redhat.com/errata/RHSA-2019:3207
- https://access.redhat.com/errata/RHSA-2019:3201
- https://access.redhat.com/errata/RHSA-2019:3202
- https://access.redhat.com/errata/RHSA-2019:3203
- https://access.redhat.com/errata/RHSA-2020:0756
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
- https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
- https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
- https://www.debian.org/security/2021/dsa-4950