CVE-2024-6840
📋 TL;DR
An improper authorization flaw in Ansible Automation Controller allows attackers using the Kubernetes API server to send HTTP requests with service account tokens mounted via automountServiceAccountToken: true, resulting in privilege escalation to a service account. This affects organizations running Ansible Automation Controller in Kubernetes environments where service accounts are improperly configured.
💻 Affected Systems
- Red Hat Ansible Automation Platform
- Ansible Automation Controller
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the Ansible Automation Controller environment, allowing attackers to execute arbitrary commands, access sensitive data, and potentially pivot to other systems in the Kubernetes cluster.
Likely Case
Unauthorized access to Ansible Automation Controller resources, privilege escalation within the controller, and potential data exfiltration or configuration changes.
If Mitigated
Limited impact with proper network segmentation, service account restrictions, and monitoring in place.
🎯 Exploit Status
Exploitation requires access to Kubernetes API server and knowledge of service account token usage. Attacker needs to be able to send HTTP requests with valid service account tokens.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Ansible Automation Platform 2.4.8, 2.3.11, 2.2.15
Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:6428
Restart Required: Yes
Instructions:
1. Update Ansible Automation Controller to patched version. 2. Apply the Red Hat security update via yum update ansible-automation-controller. 3. Restart the controller services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable automountServiceAccountToken
linuxSet automountServiceAccountToken: false on service accounts in Kubernetes deployments to prevent token mounting.
kubectl patch serviceaccount default -p '{"automountServiceAccountToken": false}'
kubectl patch serviceaccount <service-account-name> -p '{"automountServiceAccountToken": false}'
Restrict Network Access
linuxImplement network policies to restrict access to Ansible Automation Controller from Kubernetes pods.
kubectl apply -f network-policy.yaml (with appropriate deny rules)
🧯 If You Can't Patch
- Implement strict network segmentation between Kubernetes pods and Ansible Automation Controller
- Disable automountServiceAccountToken on all service accounts and use explicit token mounting only where necessary
🔍 How to Verify
Check if Vulnerable:
Check Ansible Automation Controller version and verify if running in Kubernetes with automountServiceAccountToken: true on service accounts.Check Version:
ansible-automation-controller --version or check package version via rpm -q ansible-automation-controllerVerify Fix Applied:
Verify controller version is 2.4.8, 2.3.11, or 2.2.15 or later. Test that service account tokens cannot be used for unauthorized access.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to Ansible Automation Controller API
- Unusual service account token usage patterns
- Failed authentication attempts from Kubernetes service accounts
Network Indicators:
- HTTP requests to Ansible Automation Controller from Kubernetes pods using service account tokens
- Unusual API call patterns from Kubernetes cluster IPs
SIEM Query:
source="ansible-controller-logs" AND (http_status=401 OR http_status=403) AND user_agent="k8s-api-server"