copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


ASB-2012.0100 - [UNIX/Linux] Puppet: Multiple vulnerabilities

Date: 11 July 2012
References: ESB-2012.0673  ESB-2012.1146  

Click here for printable version
Click here for PGP verifiable version
Hash: SHA1

                         AUSCERT Security Bulletin

        A number of vulnerabilities have been identified in Puppet
                               11 July 2012


        AusCERT Security Bulletin Summary

Product:              Puppet
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Access Privileged Data   -- Remote/Unauthenticated      
                      Delete Arbitrary Files   -- Existing Account            
                      Denial of Service        -- Existing Account            
                      Access Confidential Data -- Remote/Unauthenticated      
                      Unauthorised Access      -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-3867 CVE-2012-3866 CVE-2012-3865
Member content until: Friday, August 10 2012


        A number of vulnerabilities have been identified in Puppet prior to
        version 2.7.18.


        The vendor has provided the following details regarding these
        "CVE-2012-3864 (Arbitrary File Read)
        A bug in Puppet allows authenticated clients to read arbitrary files 
        from the puppet master.
        Given a valid certificate and private key, it is possible to construct 
        an HTTP GET request that will return the contents of an arbitrary file 
        on the Puppet master. These requests can retrieve any file that the 
        puppet master has read-access to." [1]
        "CVE-2012-3865 (Arbitrary file delete/D.O.S on Puppet Master)
        A bug in Puppet allows authenticated clients to delete arbitrary 
        files on the puppet master.
        Given a Puppet master with the Delete method allowed in auth.conf for 
        an authenticated host, an attacker on that host can send a specially 
        crafted Delete request that can cause an arbitrary file deletion on 
        the Puppet master, potentially causing a denial of service attack. 
        Note that this vulnerability does *not* exist in Puppet as configured 
        by default; auth.conf must first be edited to enable deletion." [2]
        "CVE-2012-3866 (last_run_report.yaml is world readable)
        A bug in Puppet leaves last_run_report.yaml world readable.
        The most recent Puppet run report is stored on the Puppet master with 
        world-readable permissions. The report file contains the context diffs 
        of any changes to configuration on an agent, which may contain 
        sensitive information that an attacker can then access. The last run 
        report is overwritten with every Puppet run." [3]
        "CVE-2012-3867 (Insufficient input validation)
        A bug in Puppet uses insufficient input validation for agent 
        certificate names.
        An attacker can trick the administrator into signing an attackers 
        certificate rather than the intended one by constructing specially 
        crafted certificate requests containing specific ANSI control 
        sequences. It is possible to use the sequences to rewrite the order of 
        text displayed to an administrator such that display of an invalid 
        certificate and valid certificate are transposed. If the administrator 
        signs the attackers certificate, the attacker can then man-in-the-
        middle the deployments agent nodes." [4]


        The vendor recommends updating the latest version of Puppet to 
        correct these issues.


        [1] CVE-2012-3864 (Arbitrary File Read)

        [2] CVE-2012-3865 (Arbitrary file delete/D.O.S on Puppet Master)

        [3] CVE-2012-3866 (last_run_report.yaml is world readable)

        [4] CVE-2012-3867 (Insufficient input validation)

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.