Announce: New Puppet releases due to four security issues [critical security updates]

[Michael Stahnke]

                                                               
                                             
Announce: New Puppet releases due to four security issues
=====

Following the security vulnerability announced yesterday (CVE-2011-3848),
Ricky Zhou (<ri...@fedorapeople.org>) alerted us to an unrelated
vulnerability. Our subsequent code audit uncovered three more vulnerabilities,
and we have now fixed all four of these new issues. (It's been a busy week.)

We have released the following updated versions of Puppet to fix these
vulnerabilities:

* 2.7.5
* 2.6.11

WE RECOMMEND UPDATING TO THESE VERSIONS IMMEDIATELY, as an issue with our ticketing
system resulted in information about these issues leaking to a
public list prior to this disclosure. Official announcements of these releases
are forthcoming momentarily, and the new versions can be downloaded at:

* http://puppetlabs.com/security/hotfixes
* http://puppetlabs.com/downloads/puppet 

PUPPET ENTERPRISE USERS can download hotfix packages for PE versions 1.0, 1.1,
and 1.2.x at:

* http://puppetlabs.com/security/hotfixes

Puppet Labs has been coordinating with Debian, Ubuntu, EPEL and OpenSuSE
maintainers.  We expect new packages (with a patch backported in many cases)
to be released very soon, and downstream packagers may also release Puppet
0.25.x packages that include these fixes. Thank you for your patience, and as
always, please report security vulnerabilities to secu...@puppetlabs.com.

Vulnerability Details
---------------------

The following vulnerabilities have been discovered and fixed: 

* CVE-2011-3870, a symlink attack via a user's SSH authorized_keys file
* CVE-2011-3869, a symlink attack via a user's .k5login file
* CVE-2011-3871, a privilege escalation attack via the temp file used by the puppet resource application
* A low-risk file indirector injection attack


SSH Authorized Keys Symlink -- CVE-2011-3870 (Critical)
----------------------

Type: Local Privilege Escalation

Credit to Ricky Zhou <ri...@fedorapeople.org> for the discovery and fix.

A TOCTOU (time-of-check-to-time-of-use) race vulnerability was present in the
ssh_authorized_key type (and theoretically in the Solaris and AIX providers).
When the target file and directory did not exist, each of them would be
created as root and later chowned to the user. This made it possible to
replace either one with a symlink to an arbitrary file, which would then
become owned by that user. This would allow local privilege escalation to root
through standard TOCTOU attack techniques.

Unlike most Puppet types, this risk was exacerbated by the nature of the
ssh_authorized_key type, which almost always manages data in directories
controlled by unprivileged (and likely untrusted) users.

This issue has been fixed by making all file operations happen with the
privileges of the target user, ensuring that a user can cause no harm beyond
their normal capabilities on the system.


k5login attach -- CVE-2011-3869 (Critical)
----------------------

Type: Local Privilege Escalation

The k5login type is typically used to manage a file in the home
directory of a user; the explicit purpose of this file is to allow
access to other users. 

This type previously wrote to the target file directly, as root, without doing
anything to secure the file. If the .k5login file was replaced with a symlink,
this would allow the owner of the home directory to replace any file on the
system, including the .k5login file of a more privileged user, with the
“correct” content of their own file.

This issue was discovered during a code audit following the report of the ssh_authorized_key vulnerability, and the fix was very similar.


Predictable temp file using RAL -- CVE-2011-3871 (Critical)
----------------------

Type: Local Privilege Escalation

Previously, puppet resource in --edit mode used an extremely predictable file
name, which would persist on human timescales, could be known well ahead of
creation, and would be run as the invoking user upon completion of the
operation.

This could be exploited to trick the invoking user into editing an arbitrary
target file, or running arbitrary Puppet code. As puppet resource is not very
effective when not run as root, the potential effect of an attack was quite
high.


File indirector injection (Low risk)
----------------------

The indirector/file.rb terminus base class trusted the request key and used it
as part of the pathname, like the YAML and SslFile terminus base classes did.

The mitigating factor in this vulnerability was that this code was unused
except in one unit test, which has been rewritten.






If you have any questions or need additional clarification on
anything, please respond to secu...@puppetlabs.com.




Thanks,
Michael Stahnke
Release Manager - Puppet Labs