Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0100
A number of vulnerabilities have been identified in Puppet
11 July 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Puppet
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Delete Arbitrary Files -- Existing Account
Denial of Service -- Existing Account
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-3867 CVE-2012-3866 CVE-2012-3865
CVE-2012-3864
Member content until: Friday, August 10 2012
OVERVIEW
A number of vulnerabilities have been identified in Puppet prior to
version 2.7.18.
IMPACT
The vendor has provided the following details regarding these
vulnerabilities:
"CVE-2012-3864 (Arbitrary File Read)
A bug in Puppet allows authenticated clients to read arbitrary files
from the puppet master.
Given a valid certificate and private key, it is possible to construct
an HTTP GET request that will return the contents of an arbitrary file
on the Puppet master. These requests can retrieve any file that the
puppet master has read-access to." [1]
"CVE-2012-3865 (Arbitrary file delete/D.O.S on Puppet Master)
A bug in Puppet allows authenticated clients to delete arbitrary
files on the puppet master.
Given a Puppet master with the Delete method allowed in auth.conf for
an authenticated host, an attacker on that host can send a specially
crafted Delete request that can cause an arbitrary file deletion on
the Puppet master, potentially causing a denial of service attack.
Note that this vulnerability does *not* exist in Puppet as configured
by default; auth.conf must first be edited to enable deletion." [2]
"CVE-2012-3866 (last_run_report.yaml is world readable)
A bug in Puppet leaves last_run_report.yaml world readable.
The most recent Puppet run report is stored on the Puppet master with
world-readable permissions. The report file contains the context diffs
of any changes to configuration on an agent, which may contain
sensitive information that an attacker can then access. The last run
report is overwritten with every Puppet run." [3]
"CVE-2012-3867 (Insufficient input validation)
A bug in Puppet uses insufficient input validation for agent
certificate names.
An attacker can trick the administrator into signing an attackers
certificate rather than the intended one by constructing specially
crafted certificate requests containing specific ANSI control
sequences. It is possible to use the sequences to rewrite the order of
text displayed to an administrator such that display of an invalid
certificate and valid certificate are transposed. If the administrator
signs the attackers certificate, the attacker can then man-in-the-
middle the deployments agent nodes." [4]
MITIGATION
The vendor recommends updating the latest version of Puppet to
correct these issues.
REFERENCES
[1] CVE-2012-3864 (Arbitrary File Read)
http://puppetlabs.com/security/cve/cve-2012-3864/
[2] CVE-2012-3865 (Arbitrary file delete/D.O.S on Puppet Master)
http://puppetlabs.com/security/cve/cve-2012-3865/
[3] CVE-2012-3866 (last_run_report.yaml is world readable)
http://puppetlabs.com/security/cve/cve-2012-3866/
[4] CVE-2012-3867 (Insufficient input validation)
http://puppetlabs.com/security/cve/cve-2012-3867/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT/0Ke+4yVqjM2NGpAQLP9A/+JmVzH8k7+0CzT3Zl8hT5c55kOz7/pXwi
ZwPbb75ozIR0W3zS8Hnal3R6BLE7YKzeXuqqAA4ImBxk/OlO+yEkrrosOHv2TfxV
YL8xOeM25lBsc/y8Az93kL/WGrpopoWhPa3c5kvld3jS9LmVNTMTIHTtXXeaPCZ/
SdRk6QE1DxBXMdlgaLYNkkg8YTBL1zPL4eunS285Ewke2IrTcxtATIE+DcNZz6a3
MNYtdAvGLT2b//1QWO7B+fTDwiHj4do363q3BPh3eWkXM09Nru3gXTgXcpVINX85
SxUWEwBTOPSO9zXITf8EfkRiPV+Fx1aK5RWJV9CtNvIA0K4TpTgvS+gq1tN/TRLF
A7n5FYVSNSwqU9fLjgoAKYM5CSIOHOs3s5TY4v/Amx7IZY/NpIOKOn0TJKg5LX7S
YuH4P9x5EromWlD1zA9Efe1WzQqz8kixY0vvWc14FwOMlUIIS8xgDdVCjHweBAhG
G44XBwDzpoRFLaqwB0lEHw3GCf4GhxBjI28QLtoaFck1mOAqyGMSN7E9Y2yADwEq
l8UO3ssbz01q0VNDy+kT+JTpKIvgGIKQh3o6/AmbxzRMK8coRp3PcNUNv6T2PqRy
wj8/OiimNDVe7nJTKWpxbquN7H6IQ9SqG3MFhDKjA75nqy935v3DTNFNcu+49A4s
GxG9896o6yY=
=JBvr
-----END PGP SIGNATURE-----