copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ASB-2012.0100 - [UNIX/Linux] Puppet: Multiple vulnerabilities

Date: 11 July 2012
References: ESB-2012.0673  ESB-2012.1146  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0100
        A number of vulnerabilities have been identified in Puppet
                               11 July 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Puppet
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Access Privileged Data   -- Remote/Unauthenticated      
                      Delete Arbitrary Files   -- Existing Account            
                      Denial of Service        -- Existing Account            
                      Access Confidential Data -- Remote/Unauthenticated      
                      Unauthorised Access      -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-3867 CVE-2012-3866 CVE-2012-3865
                      CVE-2012-3864  
Member content until: Friday, August 10 2012

OVERVIEW

        A number of vulnerabilities have been identified in Puppet prior to
        version 2.7.18.


IMPACT

        The vendor has provided the following details regarding these
        vulnerabilities:
        
        "CVE-2012-3864 (Arbitrary File Read)
        A bug in Puppet allows authenticated clients to read arbitrary files 
        from the puppet master.
        
        Given a valid certificate and private key, it is possible to construct 
        an HTTP GET request that will return the contents of an arbitrary file 
        on the Puppet master. These requests can retrieve any file that the 
        puppet master has read-access to." [1]
        
        "CVE-2012-3865 (Arbitrary file delete/D.O.S on Puppet Master)
        A bug in Puppet allows authenticated clients to delete arbitrary 
        files on the puppet master.
        
        Given a Puppet master with the Delete method allowed in auth.conf for 
        an authenticated host, an attacker on that host can send a specially 
        crafted Delete request that can cause an arbitrary file deletion on 
        the Puppet master, potentially causing a denial of service attack. 
        Note that this vulnerability does *not* exist in Puppet as configured 
        by default; auth.conf must first be edited to enable deletion." [2]
        
        "CVE-2012-3866 (last_run_report.yaml is world readable)
        A bug in Puppet leaves last_run_report.yaml world readable.
        
        The most recent Puppet run report is stored on the Puppet master with 
        world-readable permissions. The report file contains the context diffs 
        of any changes to configuration on an agent, which may contain 
        sensitive information that an attacker can then access. The last run 
        report is overwritten with every Puppet run." [3]
        
        "CVE-2012-3867 (Insufficient input validation)
        A bug in Puppet uses insufficient input validation for agent 
        certificate names.
        
        An attacker can trick the administrator into signing an attackers 
        certificate rather than the intended one by constructing specially 
        crafted certificate requests containing specific ANSI control 
        sequences. It is possible to use the sequences to rewrite the order of 
        text displayed to an administrator such that display of an invalid 
        certificate and valid certificate are transposed. If the administrator 
        signs the attackers certificate, the attacker can then man-in-the-
        middle the deployments agent nodes." [4]


MITIGATION

        The vendor recommends updating the latest version of Puppet to 
        correct these issues.


REFERENCES

        [1] CVE-2012-3864 (Arbitrary File Read)
            http://puppetlabs.com/security/cve/cve-2012-3864/

        [2] CVE-2012-3865 (Arbitrary file delete/D.O.S on Puppet Master)
            http://puppetlabs.com/security/cve/cve-2012-3865/

        [3] CVE-2012-3866 (last_run_report.yaml is world readable)
            http://puppetlabs.com/security/cve/cve-2012-3866/

        [4] CVE-2012-3867 (Insufficient input validation)
            http://puppetlabs.com/security/cve/cve-2012-3867/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT/0Ke+4yVqjM2NGpAQLP9A/+JmVzH8k7+0CzT3Zl8hT5c55kOz7/pXwi
ZwPbb75ozIR0W3zS8Hnal3R6BLE7YKzeXuqqAA4ImBxk/OlO+yEkrrosOHv2TfxV
YL8xOeM25lBsc/y8Az93kL/WGrpopoWhPa3c5kvld3jS9LmVNTMTIHTtXXeaPCZ/
SdRk6QE1DxBXMdlgaLYNkkg8YTBL1zPL4eunS285Ewke2IrTcxtATIE+DcNZz6a3
MNYtdAvGLT2b//1QWO7B+fTDwiHj4do363q3BPh3eWkXM09Nru3gXTgXcpVINX85
SxUWEwBTOPSO9zXITf8EfkRiPV+Fx1aK5RWJV9CtNvIA0K4TpTgvS+gq1tN/TRLF
A7n5FYVSNSwqU9fLjgoAKYM5CSIOHOs3s5TY4v/Amx7IZY/NpIOKOn0TJKg5LX7S
YuH4P9x5EromWlD1zA9Efe1WzQqz8kixY0vvWc14FwOMlUIIS8xgDdVCjHweBAhG
G44XBwDzpoRFLaqwB0lEHw3GCf4GhxBjI28QLtoaFck1mOAqyGMSN7E9Y2yADwEq
l8UO3ssbz01q0VNDy+kT+JTpKIvgGIKQh3o6/AmbxzRMK8coRp3PcNUNv6T2PqRy
wj8/OiimNDVe7nJTKWpxbquN7H6IQ9SqG3MFhDKjA75nqy935v3DTNFNcu+49A4s
GxG9896o6yY=
=JBvr
-----END PGP SIGNATURE-----