CVE-2018-10884

Vulnerability

Ansible Tower versions before 3.1.8 and 3.2.6 are vulnerable to cross-site request forgery (CSRF) in the awx/api/authentication.py file. The vulnerability allows an attacker to execute unauthorized actions on behalf of an authenticated user without their knowledge. No special configuration is required for the code path to be reachable; the CSRF protection is missing in the authentication module. [1]

Exploitation

An attacker must trick an already authenticated Ansible Tower user into visiting a malicious website or clicking a crafted link while logged in. The attacker can then exploit the lack of CSRF protection to perform requests that hijack the user's authtoken cookie. The attack does not require any special network position beyond the ability to serve the malicious page to the targeted user. [1]

Impact

Successful exploitation allows the attacker to hijack the authtoken cookie of the authenticated user. This can lead to session hijacking, where the attacker can impersonate the victim and gain the same privileges, potentially leading to unauthorized access to sensitive data or administrative actions within Ansible Tower. The compromise is at the session level, impacting confidentiality, integrity, and availability. [1]

Mitigation

Ansible Tower versions 3.1.8 and 3.2.6 contain the fix for this vulnerability. Users should upgrade to at least these versions. The bug was publicly disclosed in July 2018 with a fix available in the same release cycle. No workarounds are documented in the available references; upgrading is the recommended mitigation. [1]