Miggo Logo

CVE-2013-2233: Ansible fails to cache SSH host keys

7.4

CVSS Score
3.0

Basic Information

EPSS Score
0.58028%
CWE
-
Published
10/10/2018
Updated
11/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ansiblepip< 1.2.11.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Ansible's Paramiko SSH implementation using AutoAddPolicy by default, which doesn't validate host keys against known hosts. The GitHub issue #857 and Red Hat bug report explicitly reference line 78 of paramiko_ssh.py where host key policy is set. The missing call to ssh.load_system_host_keys() and use of AutoAddPolicy instead of a verification policy directly enables the insecure behavior. The connection establishment logic in _connect() is the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*nsi*l* ***or* *.*.* m*k*s it **si*r *or r*mot* *tt**k*rs to *on*u*t m*n-in-t**-mi**l* *tt**ks *y l*v*r**in* **ilur* to ***** SS* *ost k*ys.

Reasoning

T** vuln*r**ility st*ms *rom *nsi*l*'s P*r*miko SS* impl*m*nt*tion usin* *uto***Poli*y *y ****ult, w*i** *o*sn't v*li**t* *ost k*ys ***inst known *osts. T** *it*u* issu* #*** *n* R** **t *u* r*port *xpli*itly r***r*n** lin* ** o* p*r*miko_ss*.py w**r