This bug is used to keep track of the keylime review report issue 2.c:

It looks like it is possible to simply post arbitrary new values for the U and
V key parts and provide a new configuration payload to the agent, only knowing
the agent's UUID. The agent's UUID can be public or semi-public information
like when `agent_uuid=hostname` is configured. From the Keylime paper [2,
section 3.2.2] it sounds like the UUID HMAC check is not considered a security
feature but only a sanity check:

> This provides the node with a quick check to determine if Kb is correct.

When `extract_payload_script=true` (default) and `payload_script=autorun.sh`
(default) are configured in `keylime.conf` then the provided payload will be
unzipped and a potentially contained `autorun.sh` script is executed with full
root privileges. Attached you can find a reproducer script `post_key.py` that
demonstrates the issue by creating a file `/tmp/evil` on the agent host by
only providing the agent hostname and UUID as input parameters.

Even if `payload_script` is disabled then the extraction of a ZIP file as
_root_ might result in a remote root exploit by extracting files outside of
the intended target directory. I did not test this variant of the attack
vector, though. Furthermore by providing a ZIP bomb as payload the agent
process can be subjected to a remote DoS through memory exhaustion.

Retrieving the full symmetric key previously stored in
`/var/lib/keylime/secure/derived_tci_key` should not be possible this way,
because when performing the bootstrap protocol, the previous data is removed
in
`keylime_agent.py:242`. A skillful attacker might attempt to first compromise
the agent node and then wait for the tenant to re-deploy the agent using
authentic keys and payload. Should this happen then the attacker can obtain
the secret symmetric key from the compromised agent node after all.

Similar to issue b) I recommend to somehow authenticate and cryptographically
secure this agent interface to prevent these attacks. As a hotfix disabling
the relevant configuration features should at least prevent the remote code
execution and memory exhaustion attack vectors. Setting non-predictable UUID
values can also help (but one should also consider item 3.a in this context).
Even then this interface still allows to disrupt the operational state of the
agent host by simply overwriting its current configuration.

[3]: https://www.ll.mit.edu/sites/default/files/publication/doc/2018-04/2016_12_07_SchearN_ACSAC_FP.pdf