(CVE-2012-3864) puppet: multiple vulnerabilities for 2.7.17 and earlier releases (CVE-(2012-{3408,3864,3865,3866,3867})
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Gentoo Linux |
Fix Released
|
Low
|
|||
puppet (Ubuntu) |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Natty |
Fix Released
|
Undecided
|
Unassigned | ||
Oneiric |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Marc Deslauriers |
Bug Description
http://
This is a security release in the 2.7.x branch.
CVE-2012-3864 Arbitrary file read on the puppet master from authenticated clients (high)
It is possible to construct an HTTP get request from an authenticated
client with a valid certificate that will return the contents of an arbitrary
file on the Puppet master that the master has read-access to.
CVE-2012-3865 Arbitrary file delete/D.O.S on Puppet Master from authenticated clients (high)
Given a Puppet master with the "Delete" directive allowed in auth.conf
for an authenticated host, an attacker on that host can send a specially
crafted Delete request that can cause an arbitrary file deletion on the
Puppet master, potentially causing a denial of service attack. Note that
this vulnerability does *not* exist in Puppet as configured by default.
CVE-2012-3866 last_run_
The most recent Puppet run report is stored on the Puppet master
with world-readable permissions. The report file contains the context
diffs of any changes to configuration on an agent, which may contain
sensitive information that an attacker can then access. The last run
report is overwritten with every Puppet run.
Arbitrary file read on the Puppet master by an agent (medium)
This vulnerability is dependent upon CVE-2012-3866 "last_run_
is world readable" above. By creating a hard link of a Puppet-managed
file to an arbitrary file that the Puppet master can read, an attacker forces
the contents to be written to the puppet run summary. The context diff is
stored in last_run_
attacker.
CVE-2012-3867 Insufficient input validation for agent hostnames (low)
An attacker could trick the administrator into signing an attacker's
certificate rather than the intended one by constructing specially
crafted certificate requests containing specific ANSI control sequences.
It is possible to use the sequences to rewrite the order of text displayed
to an administrator such that display of an invalid certificate and valid
certificate are transposed. If the administrator signs the attacker's
certificate, the attacker can then man-in-the-middle the agent.
CVE-2012-3408 Agents with certnames of IP addresses can be impersonated (low)
If an authenticated host with a certname of an IP address changes IP
addresses, and a second host assumes the first host's former IP
address, the second host will be treated by the puppet master as the
first one, giving the second host access to the first host's catalog.
Note: This will not be fixed in Puppet versions prior to the forthcoming
3.x. Instead, with this Puppet 2.7.18, IP-based authentication in
Puppet < 3.x is deprecated, and a warning will be issued when used.
Hotfixes
visibility: | private → public |
Changed in gentoo: | |
importance: | Unknown → Low |
Changed in gentoo: | |
status: | Unknown → Fix Released |
[distro-maint] New Security Vulnerabilities in Puppet [ Confidential ]
gentoo
x
Moses Mendoza <email address hidden>
Jul 5 (1 day ago)
to distro-maintai.
Internal and external security audits initiated by Puppet Labs have
returned five vulnerabilities (two high, one moderate, and two low) in
puppet. We have requested four CVEs for vulnerabilities 1 - 4, and
will send an update once we have received them from Mitre. We are
working with distribution maintainers and key customers to ensure
we are able to patch the vulnerabilities before any are exploited.
The vulnerabilities discussed in this email have not been publicly
disclosed. One of the attack vectors of vulnerability #1 was
temporarily made public in our ticket tracker. This was addressed but
the vulnerability may have leaked.
We appreciate your consideration to the sensitivity of this information,
and respectfully ask that you refrain from publicly disclosing the contents
of this email until our planned disclosure date, Tuesday, July 10, 2012
at 5:00 PM Pacific Time. On this date we plan to release updated packages
along with a public disclosure.
We have included patches for the following versions of puppet in the
2.6.x and 2.7.x series:
2.6.4
2.6.16
2.7.9
2.7.17
We have tested that the 2.6.17 patch applies cleanly to 2.6.9, and
the 2.7.17 patch applies to 2.7.12. If you have any trouble applying
these or need help with patches for additional Puppet versions, please
let us know. We would be glad to help.
We are currently packaging new releases of Puppet addressing the
vulnerabilities. This will result in the following new Puppet versions:
* Puppet 2.6.17
* Puppet 2.7.18
* Hotfixes will be released for Puppet Enterprise 1.0, 1.1, 1.2.4, and
2.0.3.
* For users of Puppet Enterprise 2.5.x, updated packages will be
included with the forthcoming release of Puppet Enterprise 2.5.2.
# Vulnerability Summary #
Vulnerability 1 (CVE TBD) report. yaml is world readable (medium)
Arbitrary file read on the puppet master from authenticated clients (high)
*Affected/Patched Versions: 2.7.x, 2.6.x
It is possible to construct an HTTP get request from an authenticated
client with a valid certificate that will return the contents of an arbitrary
file on the Puppet master that the master has read-access to.
Vulnerability 2 (CVE TBD) Arbitrary file delete/D.O.S on Puppet Master from authenticated clients (high)
*Affected/Patched Versions: 2.7.x, 2.6.x
Given a Puppet master with the "Delete" directive allowed in auth.conf
for an authenticated host, an attacker on that host can send a specially
crafted Delete request that can cause an arbitrary file deletion on the
Puppet master, potentially causing a denial of service attack. Note that
this vulnerability does *not* exist in Puppet as configured by default.
Vulnerability 3 (CVE TBD)
last_run_
*Affected/Patched Versions: 2.7.x
The most recent Puppet run report is stored on the Puppet master
with world-readable permissions. The report file contains the context
diffs of any changes to configuration on an agent, which may contain
sensitive information that an attacker can then access. The last run
report is overwritten with every Pu...