CVE-2020-1736 Overview
A flaw was found in Ansible Engine when a file is moved using the atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist, and if the file exists, the file could be changed to have less restrictive permissions before the move. This vulnerability could lead to the disclosure of sensitive data across Ansible deployments.
Critical Impact
Sensitive configuration files, credentials, and secrets managed by Ansible playbooks may become world-readable, potentially exposing critical infrastructure data to unauthorized local users.
Affected Products
- Red Hat Ansible (versions 2.7.x, 2.8.x, and 2.9.x branches)
- Red Hat Ansible Tower
- Red Hat CloudForms Management Engine 5.0
- Red Hat OpenStack 13
- Fedora 31 and 32
Discovery Timeline
- 2020-03-16 - CVE-2020-1736 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-1736
Vulnerability Analysis
The vulnerability resides in Ansible Engine's atomic_move primitive function, which is used internally to safely move files during playbook execution. The fundamental issue is that this primitive does not allow the specification of file mode during the move operation.
When Ansible modules such as copy, template, or file use atomic_move to place files at their destination, two problematic scenarios can occur. First, if the destination file does not exist, the newly created file inherits world-readable permissions by default, potentially exposing sensitive content to all local users on the system. Second, if the destination file already exists, the file permissions may be inadvertently relaxed to less restrictive settings during the atomic move operation, creating a window where unauthorized users could access the file contents.
This is classified as CWE-732: Incorrect Permission Assignment for Critical Resource, reflecting the improper handling of file permissions during file operations.
Root Cause
The root cause stems from the atomic_move function's design, which prioritizes atomicity of the move operation over permission preservation. The function lacks a mechanism to specify and enforce the desired file mode during the move, relying instead on system defaults or existing file attributes that may not be appropriate for the content being transferred. This architectural limitation affects all Ansible modules that leverage atomic_move for file operations.
Attack Vector
The attack vector is local, requiring an attacker to have existing access to the target system where Ansible is deploying files. An attacker with local user privileges could exploit this vulnerability by:
- Monitoring directories where Ansible commonly deploys configuration files
- Waiting for Ansible playbook executions that create new files or modify existing ones
- Reading the contents of files during or after the atomic_move operation when permissions are overly permissive
- Extracting sensitive information such as database credentials, API keys, or private certificates that may be contained in Ansible-managed files
The vulnerability is particularly concerning in multi-user environments, shared hosting platforms, or any system where multiple users have shell access.
Detection Methods for CVE-2020-1736
Indicators of Compromise
- Unexpected world-readable permissions (mode 0644 or more permissive) on sensitive configuration files managed by Ansible
- Audit log entries showing file permission changes immediately after Ansible playbook executions
- Suspicious user access to directories containing Ansible-deployed secrets or credentials
- Evidence of unauthorized file reads in system audit logs targeting Ansible-managed paths
Detection Strategies
- Implement file integrity monitoring (FIM) to detect permission changes on critical configuration files
- Configure auditd rules to monitor file access and permission modifications in directories managed by Ansible
- Deploy SentinelOne agents to detect anomalous file access patterns and permission modifications
- Review Ansible playbook execution logs for modules that utilize file operations (copy, template, file)
Monitoring Recommendations
- Enable detailed logging in Ansible by setting log_path and increasing verbosity for production deployments
- Establish baseline permissions for all Ansible-managed files and alert on deviations
- Monitor for bulk file reads by non-privileged users in automation-managed directories
- Configure SentinelOne behavioral AI to identify patterns consistent with credential harvesting from configuration files
How to Mitigate CVE-2020-1736
Immediate Actions Required
- Audit all Ansible-managed files for incorrect permissions using find commands to identify world-readable sensitive files
- Explicitly set mode parameters in all Ansible modules (copy, template, file) that handle sensitive data
- Implement post-task handlers to verify and correct file permissions after deployment operations
- Review and restrict local user access on systems where Ansible deploys sensitive configurations
Patch Information
Red Hat has acknowledged this vulnerability and tracked it in their Bugzilla system. Organizations should consult the Red Hat Bugzilla CVE-2020-1736 for the latest patch status and remediation guidance. Additionally, Fedora users should apply updates as announced in the Fedora package announcements. Gentoo users should reference GLSA 202006-11 for patching instructions.
For detailed technical discussion of this issue, refer to the GitHub Ansible Issue #67794.
Workarounds
- Always specify explicit mode parameters in playbooks when creating or modifying files containing sensitive data
- Use file module as a follow-up task to explicitly set permissions after atomic_move operations
- Implement a custom callback plugin to audit and report on file permissions after playbook execution
- Consider using Ansible Vault for encrypting sensitive data, reducing the impact if files become world-readable
# Example: Explicitly setting file permissions in Ansible tasks
# Add mode parameter to all copy/template tasks handling sensitive files
- name: Deploy sensitive configuration with explicit permissions
template:
src: secrets.conf.j2
dest: /etc/myapp/secrets.conf
mode: '0600'
owner: root
group: root
# Post-deployment permission verification task
- name: Verify restrictive permissions on sensitive files
file:
path: /etc/myapp/secrets.conf
mode: '0600'
owner: root
group: root
state: file
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
