REDHAT-BUG-2487424
A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The keyfile() function uses os.chown() (not os.lchown()) and plain open() (no O_NOFOLLOW) when managing a user's ~/.ssh directory and authorized_keys file. An unprivileged local user can pre-stage symlinks in their ~/.ssh directory. When an operator runs the authorized_key task as root, the module follows the symlinks and changes ownership of arbitrary files/directories to the unprivileged user, enabling root escalation. This is a sibling of CVE-2024-9902 (ansible-core user module), which addressed the same symlink-following class in generate_ssh_key. The authorized_key module in the separate ansible.posix collection was not covered by that fix.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2487424?
The severity of REDHAT-BUG-2487424 is high with a score of 7.
What type of vulnerability is REDHAT-BUG-2487424?
REDHAT-BUG-2487424 is a local privilege escalation vulnerability.
How can an attacker exploit REDHAT-BUG-2487424?
An unprivileged local user can exploit REDHAT-BUG-2487424 by pre-staging symbolic links in the user's ~/.ssh directory.
How do I fix REDHAT-BUG-2487424?
To fix REDHAT-BUG-2487424, update the ansible.posix module to the latest version that addresses this vulnerability.
Who is affected by REDHAT-BUG-2487424?
All users of the ansible.posix authorized_key module are potentially affected by REDHAT-BUG-2487424.