Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0381 puppet security update 13 March 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: puppet Publisher: Debian Operating System: UNIX variants (UNIX, Linux, OSX) Debian GNU/Linux 6 Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Reduced Security -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2013-2275 CVE-2013-2274 CVE-2013-1655 CVE-2013-1654 CVE-2013-1653 CVE-2013-1652 CVE-2013-1640 Original Bulletin: http://www.debian.org/security/2013/dsa-2643 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running puppet check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2643-1 security@debian.org http://www.debian.org/security/ Yves-Alexis Perez March 12, 2013 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : puppet Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1640 CVE-2013-1652 CVE-2013-1653 CVE-2013-1654 CVE-2013-1655 CVE-2013-2274 CVE-2013-2275 Debian Bug : Multiple vulnerabilities were discovered in Puppet, a centralized configuration management system. CVE-2013-1640 An authenticated malicious client may request its catalog from the puppet master, and cause the puppet master to execute arbitrary code. The puppet master must be made to invoke the `template` or `inline_template` functions during catalog compilation. CVE-2013-1652 An authenticated malicious client may retrieve catalogs from the puppet master that it is not authorized to access. Given a valid certificate and private key, it is possible to construct an HTTP GET request that will return a catalog for an arbitrary client. CVE-2013-1653 An authenticated malicious client may execute arbitrary code on Puppet agents that accept kick connections. Puppet agents are not vulnerable in their default configuration. However, if the Puppet agent is configured to listen for incoming connections, e.g. listen = true, and the agent's auth.conf allows access to the `run` REST endpoint, then an authenticated client can construct an HTTP PUT request to execute arbitrary code on the agent. This issue is made worse by the fact that puppet agents typically run as root. CVE-2013-1654 A bug in Puppet allows SSL connections to be downgraded to SSLv2, which is known to contain design flaw weaknesses This affects SSL connections between puppet agents and master, as well as connections that puppet agents make to third party servers that accept SSLv2 connections. Note that SSLv2 is disabled since OpenSSL 1.0. CVE-2013-1655 An unauthenticated malicious client may send requests to the puppet master, and have the master load code in an unsafe manner. It only affects users whose puppet masters are running ruby 1.9.3 and above. CVE-2013-2274 An authenticated malicious client may execute arbitrary code on the puppet master in its default configuration. Given a valid certificate and private key, a client can construct an HTTP PUT request that is authorized to save the client's own report, but the request will actually cause the puppet master to execute arbitrary code. CVE-2013-2275 The default auth.conf allows an authenticated node to submit a report for any other node, which is a problem for compliance. It has been made more restrictive by default so that a node is only allowed to save its own report. For the stable distribution (squeeze), these problems have been fixed in version 2.6.2-5+squeeze7. For the testing distribution (wheezy), these problems have been fixed in version 2.7.18-3. For the unstable distribution (sid), these problems have been fixed in version 2.7.18-3. We recommend that you upgrade your puppet packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBCgAGBQJRP7CzAAoJEG3bU/KmdcClzGIIAI90dF51SNHLGAIImu6vXJd2 4PII5l3AeAyL8f7HQWqVgFYrockwsCazs/vgqPdwfDEAnon2C/I4FvpehJo5hd5y dFH01a7KYEvgG1okfiuDk+Pe3AEQsJSbBSyhA/Yw4Uix4wk508TWjvUAUMjRnUn5 yO0dB3b3hj4xgESmKtlXbHpjeQaaVOh5emXLuaV5V9mxCCN0fedIqjKxWd4vN4E9 l7hin1DzuxwkwoKeCGDOjKcSShpHAvwspTsUFZMhcU33Mu2an5j0QgPBhiQthJ1r 5uNeOYyYq+DVD0wjO++Lo2KwUayQUOriL+6y1BUvheyc/o+408/jppJ1JLjIWyg= =Z1A4 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUT/zae4yVqjM2NGpAQJQeg/9ERWbVRBMU5hfnDY4ONAfDVF/SRElXnia iNY+VZp/iBROvPv3aLk8CaNdHLbtOT11KbbhmdpETwjU9VpHVu1Cyb9c7Ysa26wJ fkj2Xkg6bdVUUspL6euJEpUWTdpLRayvKuUVCLVsDWumO4QNMIIvCuqs/Rj1IfWc l2tbhRnK1+59/w1c4f+9gXSw8x6KJoREV40p/oJl/8as2Fhr4vqiNNDGEwGfPBak wfjOZE7ZHC2iOfIntCJZCWA01afgySIeLXkFURxOlBFv4MMiCrmtLrMUF6jmTxlM RC5TFjYJiSWVdQwYq45aloIo4nnCIMD5UV+Ey5Roi3XSJyqOBfdYzXFhgZ+Lo6t0 I4z1DBSM+mVCcp1NT2MLAPzlQC767E55/fponqPc0qNFUFxuXcpxWG9ETUXDAlfz 0HzGmvaoLgwrLXOoTh2t4r0iSarARabB6qb9A15a9wsL/YZ9E2BYPqaQdKY5NKX2 dlfBtTAzUHdzFY/H4+hFeG7UF72jCwL0FEFiv/vMLm92Aq41MXAyG2QgyAsdLWs5 t7KF/maOhxqT9Jl6r4ozvPwlZAr8DpokDiMyDKemnyRE+YkQHid4BbEFKUZhYFpy C6/3HKBT413kvfUIg74di2ybgZiqiVsBHMMnf2cB3HPaoX2DcAk9RPu5qSt0dMId lcFOSrcYuV4= =kuC7 -----END PGP SIGNATURE-----