Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0079 Multiple vulnerabilities have been identified in Puppet Enterprise (3.2, 2.8) and Mcollective (all) 21 July 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Puppet Enterprise Mcollective Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Unauthorised Access -- Existing Account Resolution: Patch/Upgrade Member content until: Wednesday, August 20 2014 OVERVIEW Multiple vulnerabilities have been identified in Puppet Enterprise (3.2, 2.8) and Mcollective (all). [1 - 3] IMPACT The vendor has provided the following details regarding two vulnerabilities: "CVE-2014-0198 (OpenSSL vulnerability could allow denial of service attack) Due to a vulnerability in OpenSSL versions 1.0.0 and 1.0.1, if SSL_MODE_RELEASE_BUFFERS is enabled, an attacker could cause a denial of service. This affected agents running on the followning operating systems: Solaris 10, Windows, and AIX."[1] "CVE-2014-0224 (OpenSSL vulnerability in secure communications) Due to a vulnerability in OpenSSL versions 1.0.1 and later, an attacker could intercept and decrypt secure communications. This vulnerability requires that both the client and server be running an unpatched version of OpenSSL. Unlike heartbleed, this attack vector occurs after the initial handshake, which means ecnryption keys are not compromised. However, puppet encrypts catalogs for transmission to agents, so puppet manifests containing sensitive information could have been intercepted. We advise all users to avoid including sensitive information in catalogs. This affects agents running on the followning operating systems: Solaris 10, Windows, and AIX. Users of Puppet Enterprise 2.8.7 are strongly advised to update OpenSSL on their Puppet Master to the latest version (fixed by distros in all supported PE master platforms). Puppet Enterprise 3.3.0 includes a patched version of OpenSSL." [2] "CVE-2014-3251 (MCollective 'aes_security' Plugin Certificate Validation) The MCollective `aes_security` public key plugin did not correctly validate new server certs against the CA certificate. By exploiting this vulnerability within a specific race condition window, an attacker with local access could initiate an unauthorized Mcollective client connection with a server. Note that this vulnerability requires a collective be configured to use the aes_security plugin. Puppet Enterprise and open source Mcollective are not configured to use the plugin and are not vulnerable by default. Acknowledgement for the responsible disclosure of this vulnerability to Puppet Labs Mark Chappell" [3] MITIGATION The vendor recommends updating to the latest versions of Puppet Enterprise and Mcollective to correct these issues. [1, 3] REFERENCES [1] CVE-2014-0198 (OpenSSL vulnerability could allow denial of service attack) http://puppetlabs.com/security/cve/cve-2014-0198 [2] CVE-2014-0224 (OpenSSL vulnerability in secure communications) http://puppetlabs.com/security/cve/cve-2014-0224 [3] CVE-2014-3251 (MCollective 'aes_security' Plugin Certificate Validation) http://puppetlabs.com/security/cve/cve-2014-3251 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU8yGLBLndAQH1ShLAQIEoRAApsVanIzVlcoXyQOWq0e0L+Rp26SaUXCS x7OlAwpWYRTzgmfHey600XJ0vzmO3+exocsYtRQDhEJ04GuLyxUC0MpZV9cHVXLV sTizv1zTT7aMZaRjRtt1CJg+j91Q6lguGGFqVN5+/IJFwVhd5NOpoGqLi9Pq5qUq FSmF9M7btrAI2xVcqdLzYj0SicKNf4L8KE99ERmYHTNHdZcOTra5R/YkhQiS+BfR plaa1qHl4IUaqIBciYN+McU4CvLU1Rr9UtlLDoB9cZkIULp6J3JdZq6Ruzz3mlcN mUCliA4e86bmQzi8CCDeEJMW48HPMh1fxw1VkGkuQLsYscejzLeTWjcwJavgBmI+ UgsErSopx2v5cFzIMtH0k0tW6cE+EwiOPlxiE2rQlrSVL0EqQOZaLMRi1mo/e4Sk xurPwTo1o0lkdmXT1/rCOlK2J/+a7R9yJgNu1VxO0ZYPBrohdhxiivNCBXziiHOa clOxOCJ0DTIH41NWHcDXAFyO19jLqj3nbNTSAEMp095B2d1qRVIFNvNdjb6QFQy+ skkSa0cFrWgY3Tyr9yaoIdzhJpXT6rwZrgKXFx0RaQ9/YGuX4oI4Uaubxzk1Unmh K1r6CHdCx9JMPZx959a3vvQbjD27oTk65X7mCasR4l1bOE55GBQFDFpPSx2qyHuo 9Z5txsfc9JI= =OGSc -----END PGP SIGNATURE-----