CVE-2020-1740: 
Ansible Tower vulnerability analysis and mitigation

CVE-2020-1740 is a security vulnerability discovered in Ansible Engine affecting the Ansible Vault feature. The vulnerability was found when using Ansible Vault for editing encrypted files. When a user executes 'ansible-vault edit', another user on the same computer can read both the old and new secrets, as they are created in a temporary file with mkstemp. The vulnerability affects all versions in Ansible Engine 2.7.x, 2.8.x, and 2.9.x branches, as well as Ansible Tower versions up to 3.4.5, 3.5.5, and 3.6.3 (Red Hat Bug).

The vulnerability occurs in the VaultEditor._edit_file_helper() method where a temporary file is created using tempfile.mkstemp(). The issue arises because the returned file descriptor is closed and VaultEditor.write_data() is called to write the existing secret in the file. This method deletes the file before recreating it insecurely, allowing a malicious user to create the file with permissions that grant them access to the file after the unlink (GitHub Issue). The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (Medium) by NIST with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows local users on the same system to read sensitive information, including both old and new secrets, when another user is editing encrypted files using the ansible-vault edit command. This could lead to unauthorized access to encrypted credentials and sensitive configuration data (Red Hat Bug).

The vulnerability was fixed in Ansible Engine versions 2.7.17, 2.8.11, and 2.9.7. Until systems can be updated, the only mitigation is to avoid using the 'edit' option from the ansible-vault command line tool (Red Hat Bug). Various distributions have released security updates, including Debian, Fedora, and Gentoo (Debian LTS, Fedora Update, Gentoo Security).