Bug 1164139 – VUL-0: CVE-2020-1734: ansible: shell enabled by default in a pipe lookup plugin subprocess

Bug 1164139 - (CVE-2020-1734) VUL-0: CVE-2020-1734: ansible: shell enabled by default in a pipe lookup plugin subprocess

(CVE-2020-1734)
Summary:	VUL-0: CVE-2020-1734: ansible: shell enabled by default in a pipe lookup plug...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Cloud Bugs
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/253290/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-1734:7.4:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-02-18 15:11 UTC by Robert Frohl
Modified:	2022-10-13 08:05 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2020-02-18 15:11:35 UTC

rh#1801804

The pipe lookup plugin uses subprocess.Popen() with shell=True. This can be used to run arbitrary commands by overwriting ansible facts and the variable is not escaped by quote plugin.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1801804
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1734

Comment 1 Hans Loehr 2020-03-19 10:40:20 UTC

Upstream issue: https://github.com/ansible/ansible/issues/67792

SLES11-SP3, SLES12-SP2, SLES12-SP3 all contain the affected code.

Comment 2 Hans Loehr 2020-03-20 10:40:56 UTC

ansible1 is affected as well.

Comment 7 Matej Cepl 2020-06-08 09:51:06 UTC

Update has been prepared, this bug can be closed.

Comment 13 Swamp Workflow Management 2020-11-12 17:23:03 UTC

SUSE-SU-2020:3309-1: An update that solves 53 vulnerabilities, contains 14 features and has 5 fixes is now available.

Category: security (important)
Bug References: 1008037,1008038,1010940,1019021,1038785,1056094,1059235,1080682,1097775,1102126,1109957,1112959,1117080,1118896,1123561,1126503,1137479,1137528,1142121,1142542,1144453,1153452,1154231,1154232,1154830,1157968,1157969,1159447,1161919,1164133,1164134,1164135,1164136,1164137,1164138,1164139,1164140,1165022,1165393,1166389,1167440,1167532,1171162,1171823,1172450,1173413,1173416,1173418,1174006,1174145,1174242,1174302,1174583,1175484,1175986,1175993,1177120,1177948
CVE References: CVE-2016-8614,CVE-2016-8628,CVE-2016-8647,CVE-2016-9587,CVE-2017-7466,CVE-2017-7550,CVE-2018-10875,CVE-2018-11779,CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2018-18623,CVE-2018-18624,CVE-2018-18625,CVE-2019-0202,CVE-2019-10156,CVE-2019-10206,CVE-2019-10217,CVE-2019-14846,CVE-2019-14856,CVE-2019-14858,CVE-2019-14864,CVE-2019-14904,CVE-2019-14905,CVE-2019-19844,CVE-2019-3828,CVE-2020-10177,CVE-2020-10378,CVE-2020-10684,CVE-2020-10685,CVE-2020-10691,CVE-2020-10729,CVE-2020-10744,CVE-2020-10994,CVE-2020-11110,CVE-2020-14330,CVE-2020-14332,CVE-2020-14365,CVE-2020-1733,CVE-2020-1734,CVE-2020-1735,CVE-2020-1736,CVE-2020-1737,CVE-2020-17376,CVE-2020-1738,CVE-2020-1739,CVE-2020-1740,CVE-2020-1746,CVE-2020-1753,CVE-2020-25032,CVE-2020-26137,CVE-2020-7471,CVE-2020-9402
JIRA References: SOC-10300,SOC-10522,SOC-10616,SOC-11000,SOC-11223,SOC-11342,SOC-11352,SOC-11364,SOC-11386,SOC-11389,SOC-11391,SOC-6780,SOC-9974,SOC-9998
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ansible-2.9.14-3.15.1, crowbar-core-5.0+git.1600432272.b3ad722f0-3.44.1, crowbar-openstack-5.0+git.1599037158.5c4d07480-4.43.1, documentation-suse-openstack-cloud-deployment-8.20201007-1.29.1, documentation-suse-openstack-cloud-supplement-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-admin-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Pillow-4.2.1-3.9.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-straight-plugin-1.5.0-1.3.1, python-urllib3-1.22-5.12.1, release-notes-suse-openstack-cloud-8.20200922-3.23.1, rubygem-crowbar-client-3.9.3-1.1, storm-1.2.3-3.6.1
SUSE OpenStack Cloud 8 (src):    ansible-2.9.14-3.15.1, ardana-ansible-8.0+git.1596735237.54109b1-3.77.1, ardana-cinder-8.0+git.1596129856.263f430-3.43.1, ardana-glance-8.0+git.1593631779.76fa9b7-3.24.1, ardana-mq-8.0+git.1593618123.678c32b-3.26.1, ardana-nova-8.0+git.1601298847.dd01585-3.42.1, ardana-osconfig-8.0+git.1595885113.93abcbc-3.49.1, documentation-suse-openstack-cloud-installation-8.20201007-1.29.1, documentation-suse-openstack-cloud-operations-8.20201007-1.29.1, documentation-suse-openstack-cloud-opsconsole-8.20201007-1.29.1, documentation-suse-openstack-cloud-planning-8.20201007-1.29.1, documentation-suse-openstack-cloud-security-8.20201007-1.29.1, documentation-suse-openstack-cloud-supplement-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-admin-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-user-8.20201007-1.29.1, documentation-suse-openstack-cloud-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Flask-Cors-3.0.3-3.3.1, python-Pillow-4.2.1-3.9.2, python-ardana-packager-0.0.3-7.7.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-straight-plugin-1.5.0-1.3.1, python-urllib3-1.22-5.12.1, release-notes-suse-openstack-cloud-8.20200922-3.23.1, storm-1.2.3-3.6.1, venv-openstack-aodh-5.1.1~dev7-12.28.1, venv-openstack-barbican-5.0.2~dev3-12.29.1, venv-openstack-ceilometer-9.0.8~dev7-12.26.1, venv-openstack-cinder-11.2.3~dev29-14.30.1, venv-openstack-designate-5.0.3~dev7-12.27.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.24.1, venv-openstack-glance-15.0.3~dev3-12.27.1, venv-openstack-heat-9.0.8~dev22-12.29.1, venv-openstack-horizon-12.0.5~dev3-14.32.1, venv-openstack-ironic-9.1.8~dev8-12.29.1, venv-openstack-keystone-12.0.4~dev11-11.30.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.28.1, venv-openstack-manila-5.1.1~dev5-12.33.1, venv-openstack-monasca-2.2.2~dev1-11.24.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.24.1, venv-openstack-murano-4.0.2~dev2-12.24.1, venv-openstack-neutron-11.0.9~dev69-13.32.1, venv-openstack-nova-16.1.9~dev76-11.30.1, venv-openstack-octavia-1.0.6~dev3-12.29.1, venv-openstack-sahara-7.0.5~dev4-11.28.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.21.1, venv-openstack-trove-8.0.2~dev2-11.28.1
HPE Helion Openstack 8 (src):    ansible-2.9.14-3.15.1, ardana-ansible-8.0+git.1596735237.54109b1-3.77.1, ardana-cinder-8.0+git.1596129856.263f430-3.43.1, ardana-glance-8.0+git.1593631779.76fa9b7-3.24.1, ardana-mq-8.0+git.1593618123.678c32b-3.26.1, ardana-nova-8.0+git.1601298847.dd01585-3.42.1, ardana-osconfig-8.0+git.1595885113.93abcbc-3.49.1, documentation-hpe-helion-openstack-installation-8.20201007-1.29.1, documentation-hpe-helion-openstack-operations-8.20201007-1.29.1, documentation-hpe-helion-openstack-opsconsole-8.20201007-1.29.1, documentation-hpe-helion-openstack-planning-8.20201007-1.29.1, documentation-hpe-helion-openstack-security-8.20201007-1.29.1, documentation-hpe-helion-openstack-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Flask-Cors-3.0.3-3.3.1, python-Pillow-4.2.1-3.9.2, python-ardana-packager-0.0.3-7.7.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-urllib3-1.22-5.12.1, release-notes-hpe-helion-openstack-8.20200922-3.23.1, storm-1.2.3-3.6.1, venv-openstack-aodh-5.1.1~dev7-12.28.1, venv-openstack-barbican-5.0.2~dev3-12.29.1, venv-openstack-ceilometer-9.0.8~dev7-12.26.1, venv-openstack-cinder-11.2.3~dev29-14.30.1, venv-openstack-designate-5.0.3~dev7-12.27.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.24.1, venv-openstack-glance-15.0.3~dev3-12.27.1, venv-openstack-heat-9.0.8~dev22-12.29.1, venv-openstack-horizon-hpe-12.0.5~dev3-14.32.1, venv-openstack-ironic-9.1.8~dev8-12.29.1, venv-openstack-keystone-12.0.4~dev11-11.30.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.28.1, venv-openstack-manila-5.1.1~dev5-12.33.1, venv-openstack-monasca-2.2.2~dev1-11.24.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.24.1, venv-openstack-murano-4.0.2~dev2-12.24.1, venv-openstack-neutron-11.0.9~dev69-13.32.1, venv-openstack-nova-16.1.9~dev76-11.30.1, venv-openstack-octavia-1.0.6~dev3-12.29.1, venv-openstack-sahara-7.0.5~dev4-11.28.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.21.1, venv-openstack-trove-8.0.2~dev2-11.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Swamp Workflow Management 2022-03-16 20:18:17 UTC

openSUSE-SU-2022:0081-1: An update that solves 26 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1099808,1112959,1118896,1126503,1137528,1157968,1157969,1164133,1164134,1164135,1164136,1164137,1164138,1164139,1164140,1165393,1166389,1167440,1167532,1167873,1171162,1174145,1174302,1180816,1180942,1181119,1181935
CVE References: CVE-2018-10875,CVE-2018-16837,CVE-2019-10156,CVE-2019-14846,CVE-2019-14904,CVE-2019-14905,CVE-2020-10684,CVE-2020-10685,CVE-2020-10691,CVE-2020-10729,CVE-2020-14330,CVE-2020-14332,CVE-2020-1733,CVE-2020-1734,CVE-2020-1735,CVE-2020-1736,CVE-2020-1737,CVE-2020-1738,CVE-2020-1739,CVE-2020-1740,CVE-2020-1746,CVE-2020-1753,CVE-2021-20178,CVE-2021-20180,CVE-2021-20191,CVE-2021-20228
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    ansible-2.9.21-bp153.2.3.1

Comment 17 Thomas Leroy 2022-08-09 09:24:38 UTC

It seems that SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/ansible1 and SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/ansible1 are still affected. Could you please submit a fix for them also? :)

Comment 18 Christian Almeida de Oliveira 2022-08-09 13:49:16 UTC

I will check with the SOC team and re-open the internal Jira if confirmed.

Comment 19 Earl Sampson 2022-08-14 16:27:34 UTC

I have branch the Cloud9 ansible package and added 

 cat 0005-disable_popen_plugin_shell.patch
Index: lib/ansible/runner/lookup_plugins/pipe.py
===================================================================
--- lib/ansible/runner/lookup_plugins/pipe.py.orig      2022-08-10 12:05:06.083870955 -0500
+++ lib/ansible/runner/lookup_plugins/pipe.py   2022-08-10 12:04:46.763893913 -0500
@@ -43,7 +43,7 @@
             '''
             term = str(term)
 
-            p = subprocess.Popen(term, cwd=self.basedir, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
+            p = subprocess.Popen(term, cwd=self.basedir, shell=False, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
             (stdout, stderr) = p.communicate()
             if p.returncode == 0:
                 ret.append(stdout.decode("utf-8").rstrip())

As noted in the CVE. I then used that to deploy Soc 9 Ardana and run ci tempest test. I repeated the process a number of times and all tests were successful.

Comment 20 Earl Sampson 2022-08-14 19:43:28 UTC

SOC 8 branch:
https://build.suse.de/package/show/home:esampson:branches:Devel:Cloud:8:Staging/ansible1

SOC 9 branch:
https://build.suse.de/package/show/home:esampson:branches:Devel:Cloud:9:Staging/ansible1

Comment 21 Earl Sampson 2022-08-16 18:27:20 UTC

SOC8 and SOC9 testing was successful change requests have been submitted

SOC8: https://build.suse.de/request/show/277763

SOC9: https://build.suse.de/request/show/277762

Comment 22 Earl Sampson 2022-08-16 20:30:41 UTC

Needed to revert the changes above: revert requests:

Cloud9: https://build.suse.de/request/show/277768
Cloud8: https://build.suse.de/request/show/277769


The change to ansible1 broke the cobbler tests in ci for soc9.

To land the ansible would break the bare metal provisioning for soc8 and soc9.
It may be possible to work around this, please advise on how we should proceed.

Comment 23 Earl Sampson 2022-08-16 21:27:23 UTC

cloud 9 revert is: Cloud9: https://build.suse.de/request/show/277771

Comment 24 Earl Sampson 2022-08-16 21:39:38 UTC

Cloud9: https://build.suse.de/request/show/277772

typo in 277771

Comment 25 Earl Sampson 2022-08-18 13:37:51 UTC

Since making the change to ansible was:
1: rejected by the asnible team upstream
2: Caused operational errors for SOC8 and SOC9
We are taking option 2 in the CVE:
From: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1734
A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts.

So, the ansible problem can be mitigated by making sure that variable references are properly quoted.
This was reinforced by the ansible team's response in: https://github.com/ansible/ansible/issues/67792

We searched for uses of the pipe lookup plugin within our playbooks and updated the code to make sure that variables were properly coded.

Only two repositories were effected:
ardana-ansible and cobbler-ansible.

Changes have been proposed to these repositories to make sure everything is properly quoted:
SOC9:
https://gerrit.prv.suse.net/6798
SOC8:
https://gerrit.prv.suse.net/6799
https://gerrit.prv.suse.net/6800
https://gerrit.prv.suse.net/6801

Comment 26 Thomas Leroy 2022-09-14 09:09:56 UTC

(In reply to Earl Sampson from comment #25)
> Since making the change to ansible was:
> 1: rejected by the asnible team upstream
> 2: Caused operational errors for SOC8 and SOC9
> We are taking option 2 in the CVE:
> From: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1734
> A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands
> can be run, when the pipe lookup plugin uses subprocess.Popen() with
> shell=True, by overwriting ansible facts and the variable is not escaped by
> quote plugin. An attacker could take advantage and run arbitrary commands by
> overwriting the ansible facts.
> 
> So, the ansible problem can be mitigated by making sure that variable
> references are properly quoted.
> This was reinforced by the ansible team's response in:
> https://github.com/ansible/ansible/issues/67792
> 
> We searched for uses of the pipe lookup plugin within our playbooks and
> updated the code to make sure that variables were properly coded.
> 
> Only two repositories were effected:
> ardana-ansible and cobbler-ansible.
> 
> Changes have been proposed to these repositories to make sure everything is
> properly quoted:
> SOC9:
> https://gerrit.prv.suse.net/6798
> SOC8:
> https://gerrit.prv.suse.net/6799
> https://gerrit.prv.suse.net/6800
> https://gerrit.prv.suse.net/6801

Thanks you very much for your work Earl :)

Comment 27 Swamp Workflow Management 2022-09-22 19:19:26 UTC

SUSE-SU-2022:3339-1: An update that fixes 6 vulnerabilities, contains two features is now available.

Category: security (moderate)
Bug References: 1157665,1164139,1191454,1197818,1198398,1201186
CVE References: CVE-2019-11287,CVE-2020-1734,CVE-2021-39226,CVE-2022-24790,CVE-2022-28346,CVE-2022-34265
JIRA References: SOC-11662,SOC-8764
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    grafana-6.7.4-3.29.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a7-3.15.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev4-3.12.1, openstack-neutron-gbp-14.0.1~dev46-3.34.1, openstack-nova-18.3.1~dev92-3.43.1, python-Django1-1.11.29-3.40.1, rabbitmq-server-3.6.16-4.3.1, rubygem-puma-2.16.0-4.18.1
SUSE OpenStack Cloud 9 (src):    ardana-ansible-9.0+git.1660748476.c118d23-3.32.1, ardana-cobbler-9.0+git.1660747489.119efcd-3.19.1, ardana-tempest-9.0+git.1651855288.a2341ad-3.22.1, grafana-6.7.4-3.29.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a7-3.15.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev4-3.12.1, openstack-neutron-gbp-14.0.1~dev46-3.34.1, openstack-nova-18.3.1~dev92-3.43.1, python-Django1-1.11.29-3.40.1, rabbitmq-server-3.6.16-4.3.1, venv-openstack-heat-11.0.4~dev4-3.37.1, venv-openstack-horizon-14.1.1~dev11-4.41.1, venv-openstack-neutron-13.0.8~dev206-6.41.1, venv-openstack-nova-18.3.1~dev92-3.41.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.