Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0100 A number of vulnerabilities have been identified in Puppet 11 July 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Puppet Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Privileged Data -- Remote/Unauthenticated Delete Arbitrary Files -- Existing Account Denial of Service -- Existing Account Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2012-3867 CVE-2012-3866 CVE-2012-3865 CVE-2012-3864 Member content until: Friday, August 10 2012 OVERVIEW A number of vulnerabilities have been identified in Puppet prior to version 2.7.18. IMPACT The vendor has provided the following details regarding these vulnerabilities: "CVE-2012-3864 (Arbitrary File Read) A bug in Puppet allows authenticated clients to read arbitrary files from the puppet master. Given a valid certificate and private key, it is possible to construct an HTTP GET request that will return the contents of an arbitrary file on the Puppet master. These requests can retrieve any file that the puppet master has read-access to." [1] "CVE-2012-3865 (Arbitrary file delete/D.O.S on Puppet Master) A bug in Puppet allows authenticated clients to delete arbitrary files on the puppet master. Given a Puppet master with the Delete method allowed in auth.conf for an authenticated host, an attacker on that host can send a specially crafted Delete request that can cause an arbitrary file deletion on the Puppet master, potentially causing a denial of service attack. Note that this vulnerability does *not* exist in Puppet as configured by default; auth.conf must first be edited to enable deletion." [2] "CVE-2012-3866 (last_run_report.yaml is world readable) A bug in Puppet leaves last_run_report.yaml world readable. The most recent Puppet run report is stored on the Puppet master with world-readable permissions. The report file contains the context diffs of any changes to configuration on an agent, which may contain sensitive information that an attacker can then access. The last run report is overwritten with every Puppet run." [3] "CVE-2012-3867 (Insufficient input validation) A bug in Puppet uses insufficient input validation for agent certificate names. An attacker can trick the administrator into signing an attackers certificate rather than the intended one by constructing specially crafted certificate requests containing specific ANSI control sequences. It is possible to use the sequences to rewrite the order of text displayed to an administrator such that display of an invalid certificate and valid certificate are transposed. If the administrator signs the attackers certificate, the attacker can then man-in-the- middle the deployments agent nodes." [4] MITIGATION The vendor recommends updating the latest version of Puppet to correct these issues. REFERENCES [1] CVE-2012-3864 (Arbitrary File Read) http://puppetlabs.com/security/cve/cve-2012-3864/ [2] CVE-2012-3865 (Arbitrary file delete/D.O.S on Puppet Master) http://puppetlabs.com/security/cve/cve-2012-3865/ [3] CVE-2012-3866 (last_run_report.yaml is world readable) http://puppetlabs.com/security/cve/cve-2012-3866/ [4] CVE-2012-3867 (Insufficient input validation) http://puppetlabs.com/security/cve/cve-2012-3867/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT/0Ke+4yVqjM2NGpAQLP9A/+JmVzH8k7+0CzT3Zl8hT5c55kOz7/pXwi ZwPbb75ozIR0W3zS8Hnal3R6BLE7YKzeXuqqAA4ImBxk/OlO+yEkrrosOHv2TfxV YL8xOeM25lBsc/y8Az93kL/WGrpopoWhPa3c5kvld3jS9LmVNTMTIHTtXXeaPCZ/ SdRk6QE1DxBXMdlgaLYNkkg8YTBL1zPL4eunS285Ewke2IrTcxtATIE+DcNZz6a3 MNYtdAvGLT2b//1QWO7B+fTDwiHj4do363q3BPh3eWkXM09Nru3gXTgXcpVINX85 SxUWEwBTOPSO9zXITf8EfkRiPV+Fx1aK5RWJV9CtNvIA0K4TpTgvS+gq1tN/TRLF A7n5FYVSNSwqU9fLjgoAKYM5CSIOHOs3s5TY4v/Amx7IZY/NpIOKOn0TJKg5LX7S YuH4P9x5EromWlD1zA9Efe1WzQqz8kixY0vvWc14FwOMlUIIS8xgDdVCjHweBAhG G44XBwDzpoRFLaqwB0lEHw3GCf4GhxBjI28QLtoaFck1mOAqyGMSN7E9Y2yADwEq l8UO3ssbz01q0VNDy+kT+JTpKIvgGIKQh3o6/AmbxzRMK8coRp3PcNUNv6T2PqRy wj8/OiimNDVe7nJTKWpxbquN7H6IQ9SqG3MFhDKjA75nqy935v3DTNFNcu+49A4s GxG9896o6yY= =JBvr -----END PGP SIGNATURE-----