Synopsis
The remote Debian host is missing one or more security-related updates.
Description
The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3695 advisory.
- ------------------------------------------------------------------------- Debian LTS Advisory DLA-3695-1 [email protected] https://www.debian.org/lts/security/ Bastien Roucaris December 28, 2023 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : ansible Version : 2.7.7+dfsg-1+deb10u2 CVE ID : CVE-2019-10206 CVE-2021-3447 CVE-2021-3583 CVE-2021-3620 CVE-2021-20178 CVE-2021-20191 CVE-2022-3697 CVE-2023-5115 Debian Bug : 1053693
Ansible a configuration management, deployment, and task execution system was affected by multiple vulnerabilities.
CVE-2019-10206
Fix a regression in test suite of CVE-2019-10206.
CVE-2021-3447
A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality
CVE-2021-3583
A flaw was found in Ansible, where a user's controller is vulnerable to template injection.
This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.
CVE-2021-3620
A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.
CVE-2021-20178
A flaw was found in ansible module snmp_fact where credentials are disclosed in the console log by default and not protected by the security feature This flaw allows an attacker to steal privkey and authkey credentials. The highest threat from this vulnerability is to confidentiality.
CVE-2021-20191
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using Cisco nxos moduel.
An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.
CVE-2022-3697
A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.
CVE-2023-5115
An absolute path traversal attack existed in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.
For Debian 10 buster, these problems have been fixed in version 2.7.7+dfsg-1+deb10u2.
We recommend that you upgrade your ansible packages.
For the detailed security status of ansible please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/ansible
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Tenable has extracted the preceding description block directly from the Debian security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade the ansible packages.
Plugin Details
File Name: debian_DLA-3695.nasl
Agent: unix
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:ansible, p-cpe:/a:debian:debian_linux:ansible-doc
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Ease: No known exploits are available
Patch Publication Date: 12/28/2023
Vulnerability Publication Date: 7/24/2019