CVSS 3 Base Score:

Posted On:

Assessed Risk Level:
None

Type: Local Privilege Escalation

The k5login type is typically used to manage a file in the home directory of a user; the explicit purpose of this file is to allow access to other users.

This type previously wrote to the target file directly, as root, without doing anything to secure the file. If the .k5login file was replaced with a symlink, this would allow the owner of the home directory to replace any file on the system, including the .k5login file of a more privileged user, with the “correct” content of their own file.

This issue was discovered during a code audit following the report of the ssh_authorized_key vulnerability, and the fix was very similar.

Status:

Affected software versions:Resolved in:
  • Resolved in Puppet 2.6.11 and 2.7.5