Type: Local Privilege Escalation
A TOCTOU (time-of-check-to-time-of-use) race vulnerability was present in the ssh_authorized_key type (and theoretically in the Solaris and AIX providers).
When the target file and directory did not exist, each of them would be created as root and later chowned to the user. This made it possible to
replace either one with a symlink to an arbitrary file, which would then become owned by that user. This would allow local privilege escalation to root through standard TOCTOU attack techniques.
Unlike most Puppet types, this risk was exacerbated by the nature of the ssh_authorized_key type, which almost always manages data in directories controlled by unprivileged (and likely untrusted) users.
This issue has been fixed by making all file operations happen with the privileges of the target user, ensuring that a user can cause no harm beyond their normal capabilities on the system.
Credit to Ricky Zhou (email@example.com) for the discovery and fix.
- Resolved in Puppet 2.6.11 and 2.7.5
- Puppet Enterprise Hotfixes released as part of CVE-2011-3869 resolution: http://puppetlabs.com/security/hotfixes/cve-2011-3869-hotfixes/