Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 14 Jul 2015 10:20:17 +0100
From: Cory Benfield <cory@...asa.co.uk>
To: oss-security@...ts.openwall.com
Subject: [CVE-2015-3908] Improper TLS Certificate Validation in Ansible

Versions of Ansible prior to 1.9.2 fail to adequately validate HTTPS certificates when using the get_url and uri modules, and when using the url and etcd lookup plugins. This allows for man-in-the-middle attacks on those connections.

The fix for this problem has been released as part of Ansible 1.9.2.

The Ansible playbook below is a proof-of-concept that can be used to safely validate the incorrect behaviour:

  - name: a playbook demonstrating MITM in ansible
    hosts: 127.0.0.1
    connection: local
    tasks:
    - name: this should fail
      get_url: url=https://kennethreitz.org/ dest="/tmp/shouldnotexist.html”

This playbook attempts to download a HTML file from a site presenting a certificate that is valid, but not for the site in question. Versions of Ansible from 1.9.2 onward correctly fail to validate the certificate, but earlier versions will download the file regardless and the playbook will successfully exit.

Cory

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ