Detections
Analytics

Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS : Ansible vulnerabilities (USN-7330-1)

high Nessus Plugin ID 232217

Synopsis

The remote Ubuntu host is missing one or more security updates.

Description

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7330-1 advisory.

 It was discovered that Ansible did not properly verify certain fields of X.509 certificates. An attacker could possibly use this issue to spoof SSL servers if they were able to intercept network communications.
 This issue only affected Ubuntu 14.04 LTS. (CVE-2015-3908)

 Martin Carpenter discovered that certain connection plugins for Ansible did not properly restrict users.
 An attacker with local access could possibly use this issue to escape a restricted environment via symbolic links misuse. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-6240)

 Robin Schneider discovered that Ansible's apt_key module did not properly verify key fingerprints. A remote attacker could possibly use this issue to perform key injection, leading to the access of sensitive information. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-8614)

 It was discovered that Ansible would expose passwords in certain instances. An attacker could possibly use specially crafted input related to this issue to access sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-10206)

 It was discovered that Ansible incorrectly logged sensitive information. An attacker with local access could possibly use this issue to access sensitive information. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. (CVE-2019-14846)

 It was discovered that Ansible's solaris_zone module accepted input without performing input checking. A remote attacker could possibly use this issue to enable the execution of arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-14904)

 It was discovered that Ansible did not generate sufficiently random values, which could lead to the exposure of passwords. An attacker could possibly use this issue to access sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2020-10729)

 It was discovered that Ansible's svn module could disclose passwords to users within the same node. An attacker could possibly use this issue to access sensitive information. (CVE-2020-1739)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected ansible, ansible-fireball and / or ansible-node-fireball packages.

See Also

https://ubuntu.com/security/notices/USN-7330-1

Plugin Details

Severity: High

ID: 232217

File Name: ubuntu_USN-7330-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 3/6/2025

Updated: 3/6/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2015-6240

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2019-14846

Vulnerability Information

CPE: cpe:/o:canonical:ubuntu_linux:14.04:-:lts, cpe:/o:canonical:ubuntu_linux:20.04:-:lts, cpe:/o:canonical:ubuntu_linux:16.04:-:lts, cpe:/o:canonical:ubuntu_linux:18.04:-:lts, p-cpe:/a:canonical:ubuntu_linux:ansible-node-fireball, p-cpe:/a:canonical:ubuntu_linux:ansible, p-cpe:/a:canonical:ubuntu_linux:ansible-fireball

Required KB Items: Host/cpu, Host/Debian/dpkg-l, Host/Ubuntu, Host/Ubuntu/release

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/5/2025

Vulnerability Publication Date: 6/25/2015

Reference Information

CVE: CVE-2015-3908, CVE-2015-6240, CVE-2016-8614, CVE-2019-10206, CVE-2019-14846, CVE-2019-14904, CVE-2020-10729, CVE-2020-1739

IAVB: 2019-B-0092-S

USN: 7330-1