Operating System:

[UNIX/Linux]

Published:

11 February 2013

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ASB-2013.0019 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0019
        A number of vulnerabilities have been identified in Puppet
                             11 February 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Puppet
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Access Privileged Data     -- Existing Account            
                      Cross-site Request Forgery -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-1399 CVE-2013-1398 
Member content until: Wednesday, March 13 2013

OVERVIEW

        Multiple vulnerabilities have been identified in Puppet Enterprise 
        prior to version 2.7.1. [1, 2]


IMPACT

        The vendor has provided the following details regarding two 
        vulnerabilities which affect versions 2.0 and later prior to version
        2.7.1:
        
        "CVE-2013-1398 (MCO Private Key Leak)
        Posted February 6, 2013
        
        Under certain circumstances, a user with root access to a single node
        in a PE deployment could possibly manipulate that client's local facts
        in order to force the pe_mcollective module to deliver a catalog 
        containing SSL keys. These keys could be used to access other nodes in 
        the collective and send them arbitrary commands as root.
        
        This vulnerability affects the master role of Puppet Enterprise." [1]
        
        "CVE-2013-1399 (Console CSRF Vulnerability):
        Posted February 6, 2013
        
        Several components of the Puppet Enterprise console were vulnerable to
        CSRF attacks.
        
        Cross site request forgery (CSRF) protection has been added to the 
        following areas of the PE console: node request management, live 
        management, and user administration. Now, basically every HTML form
        submitted to a server running one of these services gets a randomly 
        generated token whose authenticity is compared against a token stored by
        the session of the currently logged-in user. Requests with tokens that
        do not authenticate (or are not present) will be answered with a 
        "403 Forbidden" HTML status.
        
        One exception to the CSRF protection model are HTTP requests that use
        basic HTTP user authorization. These are treated as API requests and, 
        since by definition they include a valid (or not) username and password,
        they are considered secure.
        
        Note that the Rails-based puppet dashboard application is not vulnerable 
        due to Rail's built in CSRF protection.
        
        This vulnerability affects the console role of Puppet Enterprise." [2]


MITIGATION

        The vendor recommends updating to the latest versions of Puppet 
        Enterprise to correct these issues. [1, 2]


REFERENCES

        [1] CVE-2013-1398
            https://puppetlabs.com/security/cve/cve-2013-1398/

        [2] CVE-2013-1399
            https://puppetlabs.com/security/cve/cve-2013-1399/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBURiDMO4yVqjM2NGpAQJIwA/9GyxtaMmV45+dlZcTl1PkRfn6qZ0a9Qkj
tM4mUynLCIUM00kqorYUZ+cGsNMBHPY1wAb0mrXq/gred5kzcpV5Ch6fmFqr6qXt
YsaQDGvGdoQjjB24W++822Wuq1gidpDQ6+c0P4WEEwb8QFpysGYQmABDrqQggKBo
/CzI0bhPea8/fwlttPwgl8EQTh9u2hQYr+FaYMXWEY851TSWSvvkV8S27C5le6n7
mzpuLz+x5B2LooGoZS+WRcUC9bclt1cGQk0ENxnhJxE9q+osm9MPPlONhzHRMmD2
AT8Xr1JcDezrZgZy61AUIkJPbyx0EDY5y1Q9fjiZrR4guad9Q1CP0xa+3ML7QxkV
BS5zMNd26V+x+IEbdBMDXxk45aHM05PK+JOlydim8u1jTQ5IxV96XzZ4Ev3zac0H
9iIVc8CeH4wePF6dfshTNu83AOE6qoJUr4reADIGo2bbXQEBpdbm2JDUoKuhymiW
a4xQCgxjHzRFEe8dGeR3a/0S8gwE1tAu2q+5VWSmuMzXLxfuenQth+jrT0PB8iLg
qXseSvalTvlsY5sh9q/M1VSqpJQnrpH3IMgXsaJr9eN3OPRhrayIyRfNhVUzxY98
9Zhh4fdKzkivJsncryiNUmsHcwEEPh4q4qpsW8dxqUPNJRPrSGlpfLhatlYAcSG/
eVOYOvdcYQY=
=2wQz
-----END PGP SIGNATURE-----