IT Automation Tool Hole Fixed

Friday, January 13, 2017 @ 03:01 PM gHale


Ansible IT automation platform received a patch to fix an address a security bypass vulnerability.

If an attacker leveraged the vulnerability properly he or she could exploit it to execute arbitrary commands on the Ansible controller and gain access to the connected hosts.

RELATED STORIES
Four BIND Patches Release
BIND Patched, But Still Vulnerable
New Exploit Kit Attempts to Fill Void
Exploit Distribution Evolving

Ansible is an open-source automation solution Red Hat purchased two years ago.

The platform can end up used to automate tasks, including configuration management, cloud provisioning, application deployment, task execution and multinode orchestration.

The central node in an Ansible installation or the controller should be highly secure. Its attack surface is small as it does not expose any services to hosts. However, there is a weak spot that researchers from Computest found.

The Ansible controller receives “facts” about the remote systems it manages and uses them for various purposes. Certain facts end up filtered in order to prevent abuse, but researchers from the Netherlands-based Computest found six different methods to bypass this filter.

An attacker who can bypass the filter and gain control of certain facts can execute arbitrary commands on the Ansible controller, and from there move to the other hosts.

Computest informed the Ansible and Red Hat security teams about this issue on December 8 and 9. Ansible versions 2.2.1 RC3 and 2.1.4 RC1, released on Monday, contain fixes for the vulnerability.

The vulnerability’s case number is CVE-2016-9587 and it has been rated “high risk.”

Technical details about the methods used by Computest to bypass filters are available in the advisory published by the company.

“The handling of Facts in Ansible suffers from too many special cases that allow for the bypassing of filtering. We found these issues in just hours of code review, which can be interpreted as a sign of very poor security. However, we don’t believe this is the case,” Computest researchers said in the advisory.

“The attack surface of the Controller is very small, as it consists mainly of the Facts. We believe that it is very well possible to solve the filtering and quoting of Facts in a sound way, and that when this has been done, the opportunity for attack in this threat model is very small,” the researchers said.



Leave a Reply

You must be logged in to post a comment.