CVE-2020-10709 – This vulnerability in Ansible Tower allows atta... (How to Fix)

Q: What is the severity of CVE-2020-10709?

CVE-2020-10709 has a CVSS score of 7.1 (HIGH). This vulnerability in Ansible Tower allows attackers to obtain non-expiring OAuth2 refresh tokens when requesting authentication tokens. Any user who gains access to these tokens can achieve full authentication to Ansible Tower without proper authorization. This affects Ansible Tower versions before 3.6.4 and versions before 3.5.6.

📋 TL;DR

This vulnerability in Ansible Tower allows attackers to obtain non-expiring OAuth2 refresh tokens when requesting authentication tokens. Any user who gains access to these tokens can achieve full authentication to Ansible Tower without proper authorization. This affects Ansible Tower versions before 3.6.4 and versions before 3.5.6.

💻 Affected Systems

Products:

Ansible Tower

Versions: Versions before 3.6.4 and versions before 3.5.6

Operating Systems: All supported platforms (Linux-based)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using OAuth2 authentication; requires OAuth2 application configuration to be exploitable.

📦 What is this software?

Ansible Tower by Redhat

View all CVEs affecting Ansible Tower →

Ansible Tower by Redhat

View all CVEs affecting Ansible Tower →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain persistent administrative access to Ansible Tower, enabling complete control over infrastructure automation, credential theft, and lateral movement across managed systems.

🟠

Likely Case

Unauthorized users obtain long-term access to Ansible Tower with the permissions of compromised accounts, potentially leading to configuration changes, job execution, and credential exposure.

🟢

If Mitigated

Limited impact with proper network segmentation, monitoring, and quick token revocation, though authentication bypass remains possible.

🌐 Internet-Facing: HIGH if OAuth2 endpoints are exposed to the internet, as attackers can directly exploit the flaw without internal access.

🏢 Internal Only: MEDIUM for internal networks, requiring attacker access to the network but potentially enabling privilege escalation and lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to OAuth2 token request endpoints; no public exploit code is known, but the vulnerability is straightforward to abuse.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.4 or 3.5.6

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1824033

Restart Required: Yes

Instructions:

1. Backup Ansible Tower configuration and data. 2. Upgrade to version 3.6.4 or 3.5.6 using the official upgrade instructions. 3. Restart Ansible Tower services to apply the patch.

🔧 Temporary Workarounds

Disable OAuth2 Applications

linux

Temporarily disable OAuth2 authentication to prevent token exploitation.

ansible-tower-service stop
Edit configuration to remove OAuth2 settings
ansible-tower-service start

Restrict Network Access

linux

Limit access to OAuth2 endpoints using firewall rules to trusted IPs only.

iptables -A INPUT -p tcp --dport <port> -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport <port> -j DROP

🧯 If You Can't Patch

Monitor and revoke all existing OAuth2 tokens regularly to limit exposure.
Implement network segmentation to isolate Ansible Tower from untrusted networks.

🔍 How to Verify

Check if Vulnerable:

Check the Ansible Tower version; if it's below 3.6.4 or 3.5.6, it is vulnerable.

Check Version:

ansible-tower-service --version or check the web interface under Settings > System

Verify Fix Applied:

After patching, verify the version is 3.6.4 or higher (or 3.5.6 for that branch) and test OAuth2 token expiration behavior.

📡 Detection & Monitoring

Log Indicators:

Unusual OAuth2 token requests from unexpected IPs
Multiple refresh token issuances for single users
Authentication logs showing token reuse

Network Indicators:

HTTP requests to /api/v2/o/authorize/ or token endpoints with abnormal patterns
Traffic spikes to OAuth2 endpoints

SIEM Query:

source="ansible-tower" AND (event="oauth2_token" OR event="refresh_token") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2020-10709

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-287

Published: May 27, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1824033 Issue Tracking,Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1824033 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-10709, you might also want to check these: