Bug 425112 (CVE-2012-3864)

Description Matthew Marlowe (RETIRED) 2012-07-06 22:22:01 UTC

[distro-maint] New Security Vulnerabilities in Puppet [ Confidential ]
gentoo
	x
Moses Mendoza moses@puppetlabs.com
	
Jul 5 (1 day ago)
		
to distro-maintai.
Internal and external security audits initiated by Puppet Labs have
returned five vulnerabilities (two high, one moderate, and two low) in
puppet. We have requested four CVEs for vulnerabilities 1 - 4, and
will send an update once we have received them from Mitre. We are
working with distribution maintainers and key customers to ensure
we are able to patch the vulnerabilities before any are exploited.

The vulnerabilities discussed in this email have not been publicly
disclosed. One of the attack vectors of vulnerability #1 was
temporarily made public in our ticket tracker. This was addressed but
the vulnerability may have leaked.

We appreciate your consideration to the sensitivity of this information,
and respectfully ask that you refrain from publicly disclosing the contents
of this email until our planned disclosure date, Tuesday, July 10, 2012
at 5:00 PM Pacific Time. On this date we plan to release updated packages
along with a public disclosure.

We have included patches for the following versions of puppet in the
2.6.x and 2.7.x series:
2.6.4
2.6.16
2.7.9
2.7.17

We have tested that the 2.6.17 patch applies cleanly to 2.6.9, and
the 2.7.17 patch applies to 2.7.12.  If you have any trouble applying
these or need help with patches for additional Puppet versions, please
let us know. We would be glad to help.

We are currently packaging new releases of Puppet addressing the
vulnerabilities. This will result in the following new Puppet versions:
 * Puppet 2.6.17
 * Puppet 2.7.18
 * Hotfixes will be released for Puppet Enterprise 1.0, 1.1, 1.2.4, and
   2.0.3.
 * For users of Puppet Enterprise 2.5.x, updated packages will be
   included with the forthcoming release of Puppet Enterprise 2.5.2.

# Vulnerability Summary #

Vulnerability 1 (CVE TBD)
 Arbitrary file read on the puppet master from authenticated clients (high)
 *Affected/Patched Versions: 2.7.x, 2.6.x
    It is possible to construct an HTTP get request from an authenticated
    client with a valid certificate that will return the contents of an arbitrary
    file on the Puppet master that the master has read-access to. 
Vulnerability 2 (CVE TBD) Arbitrary file delete/D.O.S on Puppet Master from authenticated clients (high)
*Affected/Patched Versions: 2.7.x, 2.6.x
Given a Puppet master with the "Delete" directive allowed in auth.conf
for an authenticated host, an attacker on that host can send a specially
crafted Delete request that can cause an arbitrary file deletion on the
Puppet master, potentially causing a denial of service attack. Note that
this vulnerability does *not* exist in Puppet as configured by default.
Vulnerability 3 (CVE TBD)
last_run_report.yaml is world readable (medium)
*Affected/Patched Versions: 2.7.x
The most recent Puppet run report is stored on the Puppet master
with world-readable permissions. The report file contains the context
diffs of any changes to configuration on an agent, which may contain
sensitive information that an attacker can then access. The last run
report is overwritten with every Puppet run.
Arbitrary file read on the Puppet master by an agent (medium)
*Affected/Patched Versions: 2.7.x
    This vulnerability is dependent upon vulnerability "last_run_report.yml
    is world readable" above. By creating a hard link of a Puppet-managed
    file to an arbitrary file that the Puppet master can read, an attacker forces
    the contents to be written to the puppet run summary. The context diff is
    stored in last_run_report.yaml, which can then be accessed by the
    attacker.

Vulnerability 4 (CVE TBD)
 Insufficient input validation for agent hostnames (low)
 *Affected/Patched Versions: 2.7.x, 2.6.x
    An attacker could trick the administrator into signing an attacker's
    certificate rather than the intended one by constructing specially
    crafted certificate requests containing specific ANSI control sequences.
    It is possible to use the sequences to rewrite the order of text displayed
    to an administrator such that display of an invalid certificate and valid
    certificate are transposed. If the administrator signs the attacker's
    certificate, the attacker can then man-in-the-middle the agent.

Vulnerability 5
 Agents with certnames of IP addresses can be impersonated (low)
 *Affected Versions: 2.7.x, 2.6.x
    If an authenticated host with a certname of an IP address changes IP
    addresses, and a second host assumes the first host's former IP
    address, the second host will be treated by the puppet master as the
    first one, giving the second host access to the first host's catalog.
    Note: This will not be fixed in Puppet versions prior to the forthcoming
    3.x. Instead, with this announcement IP-based authentication in
    Puppet < 3.x is deprecated.

# Commits in Fixes #
 These commits will be in the 2.7.x and 2.6.x branches, respectively.
 2.7.x
 =========
    qfd44bf5 Tighten permissions on classfile, resourcefile, lastrunfile, and lastrunreport.
    4d7c9fd Use "inspect" when listing certificates
    bd2820e Don't allow the creation of SSL objects with invalid certnames
    f341962 Validate CSR CN and provided certname before signing
    38c5a4e Add specs for selector terminuses of file_{content,metadata}
    9e920a8 Fix whitespace inside parentheses
    2d01c2b Use head method to determine if file is in file bucket
    40ee670 Always use the local file_bucket on master
    d881b4b Fail more gracefully when finding module files if no file is specified
    20ab0e9 Reject file requests containing ..
    10f6cb8 Add Selector terminus for file_content/file_metadata
    ab9150b Deprecate IP-based authentication
    d804782 Reject directory traversal in store report processor

 2.6.x
 =========
    554eefc Reject directory traversal in store report processor
    9607bd7 Use "inspect" when listing certificates
    0144e68 Don't allow the creation of SSL objects with invalid certnames
    dfedaa5 Validate CSR CN and provided certname before signing
    8eb0cd8 Add specs for selector terminuses of file_{content,metadata}
    828c16a Fix whitespace inside parentheses
    e7ef153 Always use the local file_bucket on master
    29ae87d Fail more gracefully when finding module files if no file is specified
    c872619 Reject file requests containing ..
    c3c7462 Add Selector terminus for file_content/file_metadata

If you have any questions or need additional clarification on
anything, please respond to distro-maintainers@puppetlabs.com.


Thank you,
Moses Mendoza
Release Engineer, Puppet Labs