CVE-2020-1733: 
Ansible Tower vulnerability analysis and mitigation

A race condition vulnerability (CVE-2020-1733) was discovered in Ansible Engine affecting versions 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior. The vulnerability was identified when running a playbook with an unprivileged become user (NVD, Red Hat).

The vulnerability occurs when Ansible needs to run a module with become user, where the temporary directory is created in /var/tmp. The directory is created using the command 'umask 77 && mkdir -p', but this operation does not fail if the directory already exists and is owned by another user. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.0 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

An attacker could potentially gain control of the become user as the target directory can be retrieved by iterating '/proc/pid/cmdline'. This could lead to privilege escalation and unauthorized access to system resources (NVD, GitHub Issue).

The vulnerability has been fixed in Ansible Engine versions 2.7.17, 2.8.11, and 2.9.7. As a workaround, the proc filesystem can be mounted with hidepid=2 option to limit access to process information. This way only the user used by Ansible will be able to perform the attack as users on the system will be able to access only their processes /proc/$PID/ directories (Red Hat).

Multiple Linux distributions have released security advisories and patches for this vulnerability, including Debian, Fedora, and Gentoo. The vulnerability was addressed promptly by the Ansible community and vendors (Debian LTS, Gentoo).