Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 385149 (CVE-2011-3869) - <app-admin/puppet-2.6.11 : privilege escalation and symlink attack (CVE-2011-{3869,3870,3871})
Summary: <app-admin/puppet-2.6.11 : privilege escalation and symlink attack (CVE-2011-...
Status: RESOLVED FIXED
Alias: CVE-2011-3869
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks: CVE-2011-3848
  Show dependency tree
 
Reported: 2011-09-30 22:20 UTC by Matthew Marlowe
Modified: 2012-03-06 01:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Marlowe gentoo-dev 2011-09-30 22:20:12 UTC
Just received on puppet-users ml:

                                      
Announce: New Puppet releases due to four security issues
=====

Following the security vulnerability announced yesterday (CVE-2011-3848),
Ricky Zhou (<ricky@fedorapeople.org>) alerted us to an unrelated
vulnerability. Our subsequent code audit uncovered three more vulnerabilities,
and we have now fixed all four of these new issues. (It's been a busy week.)

We have released the following updated versions of Puppet to fix these
vulnerabilities:

* 2.7.5
* 2.6.11

WE RECOMMEND UPDATING TO THESE VERSIONS IMMEDIATELY, as an issue with our ticketing
system resulted in information about these issues leaking to a
public list prior to this disclosure. Official announcements of these releases
are forthcoming momentarily, and the new versions can be downloaded at:

* http://puppetlabs.com/security/hotfixes
* http://puppetlabs.com/downloads/puppet 

PUPPET ENTERPRISE USERS can download hotfix packages for PE versions 1.0, 1.1,
and 1.2.x at:

* http://puppetlabs.com/security/hotfixes

Puppet Labs has been coordinating with Debian, Ubuntu, EPEL and OpenSuSE
maintainers.  We expect new packages (with a patch backported in many cases)
to be released very soon, and downstream packagers may also release Puppet
0.25.x packages that include these fixes. Thank you for your patience, and as
always, please report security vulnerabilities to security@puppetlabs.com.

Vulnerability Details
---------------------

The following vulnerabilities have been discovered and fixed: 

* CVE-2011-3870, a symlink attack via a user's SSH authorized_keys file
* CVE-2011-3869, a symlink attack via a user's .k5login file
* CVE-2011-3871, a privilege escalation attack via the temp file used by the puppet resource application
* A low-risk file indirector injection attack


SSH Authorized Keys Symlink -- CVE-2011-3870 (Critical)
----------------------

Type: Local Privilege Escalation

Credit to Ricky Zhou <ricky@fedorapeople.org> for the discovery and fix.

A TOCTOU (time-of-check-to-time-of-use) race vulnerability was present in the
ssh_authorized_key type (and theoretically in the Solaris and AIX providers).
When the target file and directory did not exist, each of them would be
created as root and later chowned to the user. This made it possible to
replace either one with a symlink to an arbitrary file, which would then
become owned by that user. This would allow local privilege escalation to root
through standard TOCTOU attack techniques.

Unlike most Puppet types, this risk was exacerbated by the nature of the
ssh_authorized_key type, which almost always manages data in directories
controlled by unprivileged (and likely untrusted) users.

This issue has been fixed by making all file operations happen with the
privileges of the target user, ensuring that a user can cause no harm beyond
their normal capabilities on the system.


k5login attach -- CVE-2011-3869 (Critical)
----------------------

Type: Local Privilege Escalation

The k5login type is typically used to manage a file in the home
directory of a user; the explicit purpose of this file is to allow
access to other users. 

This type previously wrote to the target file directly, as root, without doing
anything to secure the file. If the .k5login file was replaced with a symlink,
this would allow the owner of the home directory to replace any file on the
system, including the .k5login file of a more privileged user, with the
“correct” content of their own file.

This issue was discovered during a code audit following the report of the ssh_authorized_key vulnerability, and the fix was very similar.


Predictable temp file using RAL -- CVE-2011-3871 (Critical)
----------------------

Type: Local Privilege Escalation

Previously, puppet resource in --edit mode used an extremely predictable file
name, which would persist on human timescales, could be known well ahead of
creation, and would be run as the invoking user upon completion of the
operation.

This could be exploited to trick the invoking user into editing an arbitrary
target file, or running arbitrary Puppet code. As puppet resource is not very
effective when not run as root, the potential effect of an attack was quite
high.


File indirector injection (Low risk)
----------------------

The indirector/file.rb terminus base class trusted the request key and used it
as part of the pathname, like the YAML and SslFile terminus base classes did.

The mitigating factor in this vulnerability was that this code was unused
except in one unit test, which has been rewritten.






If you have any questions or need additional clarification on
anything, please respond to security@puppetlabs.com.




Thanks,
Michael Stahnke
Release Manager - Puppet Labs
Comment 1 Agostino Sarubbo gentoo-dev 2011-09-30 23:35:33 UTC
Thanks Matthew for the report.
Comment 2 MATSUU Takuto (RETIRED) gentoo-dev 2011-10-01 00:08:46 UTC
2.6.11 and 2.7.5 in cvs.
please mark stable 2.6.11
Comment 3 Agostino Sarubbo gentoo-dev 2011-10-01 00:13:57 UTC
(In reply to comment #2)
> 2.6.11 and 2.7.5 in cvs.
> please mark stable 2.6.11

Great, thank you.

Arches, please test and mark stable:
=app-admin/puppet-2.6.11
Target keywords : "amd64 hppa ppc sparc x86"
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-01 21:02:22 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2011-10-01 21:59:04 UTC
amd64 ok
Comment 6 Ian Delaney (RETIRED) gentoo-dev 2011-10-03 18:06:26 UTC
ditt Ago
Comment 7 Jeroen Roovers gentoo-dev 2011-10-03 20:15:46 UTC
Stable for HPPA.
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2011-10-06 07:38:29 UTC
amd64 done. Thanks Agostino and Ian
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-10-08 17:47:09 UTC
sparc stable
Comment 10 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-10-09 17:43:56 UTC
ppc stable, last arch done
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-10-09 18:01:11 UTC
Thanks, folks. Added to existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-11-16 23:31:27 UTC
CVE-2011-3871 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3871):
  Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, when running in
  --edit mode, uses a predictable file name, which allows local users to run
  arbitrary Puppet code or trick a user into editing arbitrary files.

CVE-2011-3870 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3870):
  Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local
  users to modify the permissions of arbitrary files via a symlink attack on
  the SSH authorized_keys file.

CVE-2011-3869 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3869):
  Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local
  users to overwrite arbitrary files via a symlink attack on the .k5login
  file.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-03-06 01:32:04 UTC
This issue was resolved and addressed in
 GLSA 201203-03 at http://security.gentoo.org/glsa/glsa-201203-03.xml
by GLSA coordinator Sean Amoss (ackle).