AWS Tough Library and Tuftool CLI Path Traversal Vulnerability Allowing Arbitrary File Write

A path traversal vulnerability has been identified in the AWS Tough library and its command-line utility, Tuftool, prior to versions 0.22.0 and 0.15.0 respectively. This vulnerability allows remote authenticated users with delegated signing authority to write files outside of the intended output directories. The issue arises from incomplete path traversal fixes, where absolute target names in copy_target or link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write are not properly contained, allowing for unauthorized file writes.

Impact

Exploitation of this vulnerability could lead to arbitrary file writes outside of designated directories, potentially overwriting critical files or disrupting application functionality.

Reproduction

To reproduce this vulnerability, first, create a TUF repository using Tuftool version 0.14.0 or earlier. After establishing the repository, upload a target file with a symlinked metadata filename that points outside the intended directory. The file will be written to the specified absolute path, bypassing normal directory restrictions.

Remediation

Users are advised to upgrade to Tough version 0.22.0 or later and Tuftool version 0.15.0 or later. Additionally, review and update any forked or derivative code to incorporate the security fixes.