CVE-2019-19342 in Ansible Tower
Summary
by MITRE
A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.4, when /websocket is requested and the password contains the '#' character. This request would cause a socket error in RabbitMQ when parsing the password and an HTTP error code 500 and partial password disclose will occur in plaintext. An attacker could easily guess some predictable passwords or brute force the password.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/16/2024
This vulnerability exists in Ansible Tower versions 3.6.x before 3.6.2 and 3.5.x before 3.5.4 where improper handling of the '#' character in passwords during websocket requests creates a critical security flaw. The issue manifests when the system processes websocket connections and encounters a password containing the '#' character, which serves as a special delimiter in URL parsing contexts. This character causes RabbitMQ to experience socket errors during authentication processing, while simultaneously generating HTTP 500 errors and exposing partial password information in plaintext format. The vulnerability stems from inadequate input sanitization and URL parsing logic within the authentication flow, creating a path for information disclosure that directly impacts the security posture of the Ansible Tower deployment.
The technical implementation of this flaw involves the improper handling of URL-encoded credentials where the '#' character is interpreted as a fragment identifier rather than part of the password value. When Ansible Tower processes websocket requests with passwords containing this character, the system fails to properly escape or encode the special character before transmission to RabbitMQ. This results in malformed authentication requests that cause RabbitMQ to terminate the connection abruptly while simultaneously returning HTTP 500 errors to the client. The partial password disclosure occurs because the system logs or processes the password before proper sanitization, exposing enough information for attackers to perform password guessing or brute force attacks against the affected accounts.
The operational impact of this vulnerability is significant as it provides attackers with a direct method for credential compromise and privilege escalation within Ansible Tower environments. The partial password disclosure creates a substantial attack surface that allows adversaries to gather intelligence about valid credentials, making subsequent brute force attempts more efficient and successful. The vulnerability affects authentication mechanisms across the entire Ansible Tower platform, particularly impacting the websocket endpoint which is commonly used for real-time communication and monitoring functions. This weakness directly violates security principles outlined in CWE-20 and CWE-770, as it represents improper input validation and resource management issues that create attack vectors for credential theft and unauthorized access.
Organizations should implement immediate mitigations including upgrading to Ansible Tower versions 3.6.2 or 3.5.4, which contain the necessary patches to properly handle special characters in passwords. System administrators should also implement additional monitoring for websocket connections and authentication failures, particularly looking for patterns of HTTP 500 errors that may indicate exploitation attempts. The fix addresses the root cause by implementing proper URL encoding and input sanitization before password transmission to backend services, aligning with ATT&CK technique T1110.003 for credential access through brute force methods. Security teams should also consider implementing rate limiting and account lockout mechanisms to prevent automated brute force attacks targeting the vulnerable authentication endpoints, as recommended by NIST SP 800-63B guidelines for authentication system security.