Ansible patches 'own the farm' vulnerability
Just the Facts, sysadmins
Ansible sysadmins, make with the patch-fingers because the project's just gone public with a high-severity bug.
CVE-2016-9587 is a peach: “a compromised remote system being managed via Ansible can lead to commands being run on the Ansible controller (as the user running the ansible or ansible-playbook command)”, Ansible lead at Red Hat James Cammarata writes.
Dutch outfit Computest found the bug. It writes that if an attacker can get access to one compromised machine, they can use that as a hop-off to the controller, “gaining access to the entire server park managed by that controller”.
Its advisory explains the problem exists in how the controller handles an API feature called Facts.
Facts let the Ansible controller get information about remote systems, using them in playbook variables, and users can write their own Facts (if this sounds all a bit post-truth, we apologise).
Computest found that Facts allows “too many special cases that allow for the bypassing of filtering”.
Although the special cases didn't take the testers more than a few hours, they don't sideswipe Ansible for having poor security. Rather, Computest writes, filtering and quoting of Facts can be fixed, “and that when this has been done, the opportunity for attack in this threat model is very small.”
Ansible's fixes are in two release candidates it's released – 2.1.4 RC1, and 2.2.1 RC3. ®