CVE-2020-1738 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Severity

78%

Complexity

18%

Confidentiality

98%

A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

CVSS 3.1 Base Score 7.8. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 4.4. CVSS Attack Vector: local. CVSS Attack Complexity: medium. CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P).

CVSS 3.1 Base Score 3.9. CVSS Attack Vector: local. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L).

CVSS 2.0 Base Score 2.6. CVSS Attack Vector: local. CVSS Attack Complexity: high. CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:P).

Demo Examples

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

CWE-88

The following simple program accepts a filename as a command line argument and displays the contents of the file back to the user. The program is installed setuid root because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system.


               
}
system(cmd);

Because the program runs with root privileges, the call to system() also executes with root privileges. If a user specifies a standard filename, the call works as expected. However, if an attacker passes a string of the form ";rm -rf /", then the call to system() fails to execute cat due to a lack of arguments and then plows on to recursively delete the contents of the root partition.

Note that if argv[1] is a very long argument, then this issue might also be subject to a buffer overflow (CWE-120).

Overview

Type

Red Hat

First reported 5 years ago

2020-03-16 16:15:00

Last updated 4 years ago

2020-06-13 04:15:00

Affected Software

Red Hat Ansible Tower

Red Hat CloudForms Management Engine 5.0

5.0

Red Hat OpenStack 13.0

13.0

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738

Issue Tracking, Vendor Advisory

https://github.com/ansible/ansible/issues/67796

Third Party Advisory

GLSA-202006-11

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.