Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2014.0079
Multiple vulnerabilities have been identified in Puppet
Enterprise (3.2, 2.8) and Mcollective (all)
21 July 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Puppet Enterprise
Mcollective
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
Member content until: Wednesday, August 20 2014
OVERVIEW
Multiple vulnerabilities have been identified in Puppet Enterprise
(3.2, 2.8) and Mcollective (all). [1 - 3]
IMPACT
The vendor has provided the following details regarding two
vulnerabilities:
"CVE-2014-0198 (OpenSSL vulnerability could allow denial of service
attack)
Due to a vulnerability in OpenSSL versions 1.0.0 and 1.0.1, if
SSL_MODE_RELEASE_BUFFERS is enabled, an attacker could cause a
denial of service. This affected agents running on the followning
operating systems: Solaris 10, Windows, and AIX."[1]
"CVE-2014-0224 (OpenSSL vulnerability in secure communications)
Due to a vulnerability in OpenSSL versions 1.0.1 and later, an
attacker could intercept and decrypt secure communications. This
vulnerability requires that both the client and server be running an
unpatched version of OpenSSL. Unlike heartbleed, this attack vector
occurs after the initial handshake, which means ecnryption keys are
not compromised. However, puppet encrypts catalogs for transmission
to agents, so puppet manifests containing sensitive information
could have been intercepted. We advise all users to avoid including
sensitive information in catalogs. This affects agents running on
the followning operating systems: Solaris 10, Windows, and AIX.
Users of Puppet Enterprise 2.8.7 are strongly advised to update
OpenSSL on their Puppet Master to the latest version (fixed by
distros in all supported PE master platforms). Puppet Enterprise
3.3.0 includes a patched version of OpenSSL." [2]
"CVE-2014-3251 (MCollective 'aes_security' Plugin Certificate
Validation)
The MCollective `aes_security` public key plugin did not correctly
validate new server certs against the CA certificate. By exploiting
this vulnerability within a specific race condition window, an
attacker with local access could initiate an unauthorized
Mcollective client connection with a server. Note that this
vulnerability requires a collective be configured to use the
aes_security plugin. Puppet Enterprise and open source Mcollective
are not configured to use the plugin and are not vulnerable by
default.
Acknowledgement for the responsible disclosure of this vulnerability
to Puppet Labs
Mark Chappell" [3]
MITIGATION
The vendor recommends updating to the latest versions of Puppet
Enterprise and Mcollective to correct these issues. [1, 3]
REFERENCES
[1] CVE-2014-0198 (OpenSSL vulnerability could allow denial of service
attack)
http://puppetlabs.com/security/cve/cve-2014-0198
[2] CVE-2014-0224 (OpenSSL vulnerability in secure communications)
http://puppetlabs.com/security/cve/cve-2014-0224
[3] CVE-2014-3251 (MCollective 'aes_security' Plugin Certificate
Validation)
http://puppetlabs.com/security/cve/cve-2014-3251
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU8yGLBLndAQH1ShLAQIEoRAApsVanIzVlcoXyQOWq0e0L+Rp26SaUXCS
x7OlAwpWYRTzgmfHey600XJ0vzmO3+exocsYtRQDhEJ04GuLyxUC0MpZV9cHVXLV
sTizv1zTT7aMZaRjRtt1CJg+j91Q6lguGGFqVN5+/IJFwVhd5NOpoGqLi9Pq5qUq
FSmF9M7btrAI2xVcqdLzYj0SicKNf4L8KE99ERmYHTNHdZcOTra5R/YkhQiS+BfR
plaa1qHl4IUaqIBciYN+McU4CvLU1Rr9UtlLDoB9cZkIULp6J3JdZq6Ruzz3mlcN
mUCliA4e86bmQzi8CCDeEJMW48HPMh1fxw1VkGkuQLsYscejzLeTWjcwJavgBmI+
UgsErSopx2v5cFzIMtH0k0tW6cE+EwiOPlxiE2rQlrSVL0EqQOZaLMRi1mo/e4Sk
xurPwTo1o0lkdmXT1/rCOlK2J/+a7R9yJgNu1VxO0ZYPBrohdhxiivNCBXziiHOa
clOxOCJ0DTIH41NWHcDXAFyO19jLqj3nbNTSAEMp095B2d1qRVIFNvNdjb6QFQy+
skkSa0cFrWgY3Tyr9yaoIdzhJpXT6rwZrgKXFx0RaQ9/YGuX4oI4Uaubxzk1Unmh
K1r6CHdCx9JMPZx959a3vvQbjD27oTk65X7mCasR4l1bOE55GBQFDFpPSx2qyHuo
9Z5txsfc9JI=
=OGSc
-----END PGP SIGNATURE-----