Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0019 A number of vulnerabilities have been identified in Puppet 11 February 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Puppet Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Privileged Data -- Existing Account Cross-site Request Forgery -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-1399 CVE-2013-1398 Member content until: Wednesday, March 13 2013 OVERVIEW Multiple vulnerabilities have been identified in Puppet Enterprise prior to version 2.7.1. [1, 2] IMPACT The vendor has provided the following details regarding two vulnerabilities which affect versions 2.0 and later prior to version 2.7.1: "CVE-2013-1398 (MCO Private Key Leak) Posted February 6, 2013 Under certain circumstances, a user with root access to a single node in a PE deployment could possibly manipulate that client's local facts in order to force the pe_mcollective module to deliver a catalog containing SSL keys. These keys could be used to access other nodes in the collective and send them arbitrary commands as root. This vulnerability affects the master role of Puppet Enterprise." [1] "CVE-2013-1399 (Console CSRF Vulnerability): Posted February 6, 2013 Several components of the Puppet Enterprise console were vulnerable to CSRF attacks. Cross site request forgery (CSRF) protection has been added to the following areas of the PE console: node request management, live management, and user administration. Now, basically every HTML form submitted to a server running one of these services gets a randomly generated token whose authenticity is compared against a token stored by the session of the currently logged-in user. Requests with tokens that do not authenticate (or are not present) will be answered with a "403 Forbidden" HTML status. One exception to the CSRF protection model are HTTP requests that use basic HTTP user authorization. These are treated as API requests and, since by definition they include a valid (or not) username and password, they are considered secure. Note that the Rails-based puppet dashboard application is not vulnerable due to Rail's built in CSRF protection. This vulnerability affects the console role of Puppet Enterprise." [2] MITIGATION The vendor recommends updating to the latest versions of Puppet Enterprise to correct these issues. [1, 2] REFERENCES [1] CVE-2013-1398 https://puppetlabs.com/security/cve/cve-2013-1398/ [2] CVE-2013-1399 https://puppetlabs.com/security/cve/cve-2013-1399/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBURiDMO4yVqjM2NGpAQJIwA/9GyxtaMmV45+dlZcTl1PkRfn6qZ0a9Qkj tM4mUynLCIUM00kqorYUZ+cGsNMBHPY1wAb0mrXq/gred5kzcpV5Ch6fmFqr6qXt YsaQDGvGdoQjjB24W++822Wuq1gidpDQ6+c0P4WEEwb8QFpysGYQmABDrqQggKBo /CzI0bhPea8/fwlttPwgl8EQTh9u2hQYr+FaYMXWEY851TSWSvvkV8S27C5le6n7 mzpuLz+x5B2LooGoZS+WRcUC9bclt1cGQk0ENxnhJxE9q+osm9MPPlONhzHRMmD2 AT8Xr1JcDezrZgZy61AUIkJPbyx0EDY5y1Q9fjiZrR4guad9Q1CP0xa+3ML7QxkV BS5zMNd26V+x+IEbdBMDXxk45aHM05PK+JOlydim8u1jTQ5IxV96XzZ4Ev3zac0H 9iIVc8CeH4wePF6dfshTNu83AOE6qoJUr4reADIGo2bbXQEBpdbm2JDUoKuhymiW a4xQCgxjHzRFEe8dGeR3a/0S8gwE1tAu2q+5VWSmuMzXLxfuenQth+jrT0PB8iLg qXseSvalTvlsY5sh9q/M1VSqpJQnrpH3IMgXsaJr9eN3OPRhrayIyRfNhVUzxY98 9Zhh4fdKzkivJsncryiNUmsHcwEEPh4q4qpsW8dxqUPNJRPrSGlpfLhatlYAcSG/ eVOYOvdcYQY= =2wQz -----END PGP SIGNATURE-----