mcollective-sshkey-security missing input sanitization

  • Posted June 30, 2017
  • Assessed risk level: low
  • CVSS v3 score: 3.4

Versions of mcollective-sshkey-security before 0.5.1 used a server-specified identifier as part of a path where a file is written. A compromised server could use this to write a file to an arbitrary location on the client with the filename appended with the string “_pub.pem”.

mcollective-sshkey-security is not enabled by default in Puppet Enterprise, and we do not believe it is widely used. It is not packaged with Puppet FOSS.

To mitigate this issue, disable the plugin, or apply the following patch. Puppet FOSS users can also manually upgrade to versions >= 0.5.1 of the plugin. We strongly suggest moving away from this plugin and will be removing it from the next major release of PE.

Patch details:

diff --git a/security/sshkey.rb b/security/sshkey.rb
index eb3f0d0..7cf024d 100644
--- a/security/sshkey.rb
+++ b/security/sshkey.rb
@@ -142,7 +142,14 @@ module MCollective

         if File.directory?(publickey_dir)
-          if File.exists?(old_keyfile = File.join(publickey_dir, "#{identity}_pub.pem"))
+          # Reject identity if it would result in directory traversal.
+          old_keyfile = File.join(File.expand_path(publickey_dir), "#{identity}_pub.pem")
+          unless File.expand_path(old_keyfile) == old_keyfile
+            Log.warn("Identity returned by server would result in directory traversal. Not writing key to disk.")
+            return
+          end
+          if File.exists?(old_keyfile)
             old_key = File.read(old_keyfile).chomp

             unless old_key == key


Affected Software Versions:

  • mcollective-sshkey-security prior to 0.5.1

Resolved In:

  • mcollective-ssh-security 0.5.1