Bug 938161 - (CVE-2015-3908) VUL-0: CVE-2015-3908: ansible: Improper TLS Certificate Validation in Ansible
(CVE-2015-3908)
VUL-0: CVE-2015-3908: ansible: Improper TLS Certificate Validation in Ansible
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.2
: P5 - None : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/118610/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-15 08:58 UTC by Andreas Stieger
Modified: 2016-07-28 14:21 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-07-15 08:58:37 UTC
http://seclists.org/oss-sec/2015/q3/106

Versions of Ansible prior to 1.9.2 fail to adequately validate HTTPS certificates when using the get_url and uri 
modules, and when using the url and etcd lookup plugins. This allows for man-in-the-middle attacks on those connections.

The fix for this problem has been released as part of Ansible 1.9.2.

The Ansible playbook below is a proof-of-concept that can be used to safely validate the incorrect behaviour:

  - name: a playbook demonstrating MITM in ansible
    hosts: 127.0.0.1
    connection: local
    tasks:
    - name: this should fail
      get_url: url=https://kennethreitz.org/ dest="/tmp/shouldnotexist.html”

This playbook attempts to download a HTML file from a site presenting a certificate that is valid, but not for the site in question. Versions of Ansible from 1.9.2 onward correctly fail to validate the certificate, but earlier versions will download the file regardless and the playbook will successfully exit.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3908
http://seclists.org/oss-sec/2015/q3/106
Comment 2 Lars Vogdt 2015-07-15 12:38:05 UTC
Thanks for pointing to the patch!

Updated package (1.9.2 containing the fix) submitted to openSUSE:Factory

Package containing the above fix submitted to 13.2 (ID 316936).

Reassigning to security for further processing.
Comment 3 Andreas Stieger 2015-07-22 13:04:49 UTC
releasing update