[distro-maint] New Security Vulnerabilities in Puppet [ Confidential ] gentoo x Moses Mendoza moses@puppetlabs.com Jul 5 (1 day ago) to distro-maintai. Internal and external security audits initiated by Puppet Labs have returned five vulnerabilities (two high, one moderate, and two low) in puppet. We have requested four CVEs for vulnerabilities 1 - 4, and will send an update once we have received them from Mitre. We are working with distribution maintainers and key customers to ensure we are able to patch the vulnerabilities before any are exploited. The vulnerabilities discussed in this email have not been publicly disclosed. One of the attack vectors of vulnerability #1 was temporarily made public in our ticket tracker. This was addressed but the vulnerability may have leaked. We appreciate your consideration to the sensitivity of this information, and respectfully ask that you refrain from publicly disclosing the contents of this email until our planned disclosure date, Tuesday, July 10, 2012 at 5:00 PM Pacific Time. On this date we plan to release updated packages along with a public disclosure. We have included patches for the following versions of puppet in the 2.6.x and 2.7.x series: 2.6.4 2.6.16 2.7.9 2.7.17 We have tested that the 2.6.17 patch applies cleanly to 2.6.9, and the 2.7.17 patch applies to 2.7.12. If you have any trouble applying these or need help with patches for additional Puppet versions, please let us know. We would be glad to help. We are currently packaging new releases of Puppet addressing the vulnerabilities. This will result in the following new Puppet versions: * Puppet 2.6.17 * Puppet 2.7.18 * Hotfixes will be released for Puppet Enterprise 1.0, 1.1, 1.2.4, and 2.0.3. * For users of Puppet Enterprise 2.5.x, updated packages will be included with the forthcoming release of Puppet Enterprise 2.5.2. # Vulnerability Summary # Vulnerability 1 (CVE TBD) Arbitrary file read on the puppet master from authenticated clients (high) *Affected/Patched Versions: 2.7.x, 2.6.x It is possible to construct an HTTP get request from an authenticated client with a valid certificate that will return the contents of an arbitrary file on the Puppet master that the master has read-access to. Vulnerability 2 (CVE TBD) Arbitrary file delete/D.O.S on Puppet Master from authenticated clients (high) *Affected/Patched Versions: 2.7.x, 2.6.x Given a Puppet master with the "Delete" directive allowed in auth.conf for an authenticated host, an attacker on that host can send a specially crafted Delete request that can cause an arbitrary file deletion on the Puppet master, potentially causing a denial of service attack. Note that this vulnerability does *not* exist in Puppet as configured by default. Vulnerability 3 (CVE TBD) last_run_report.yaml is world readable (medium) *Affected/Patched Versions: 2.7.x The most recent Puppet run report is stored on the Puppet master with world-readable permissions. The report file contains the context diffs of any changes to configuration on an agent, which may contain sensitive information that an attacker can then access. The last run report is overwritten with every Puppet run. Arbitrary file read on the Puppet master by an agent (medium) *Affected/Patched Versions: 2.7.x This vulnerability is dependent upon vulnerability "last_run_report.yml is world readable" above. By creating a hard link of a Puppet-managed file to an arbitrary file that the Puppet master can read, an attacker forces the contents to be written to the puppet run summary. The context diff is stored in last_run_report.yaml, which can then be accessed by the attacker. Vulnerability 4 (CVE TBD) Insufficient input validation for agent hostnames (low) *Affected/Patched Versions: 2.7.x, 2.6.x An attacker could trick the administrator into signing an attacker's certificate rather than the intended one by constructing specially crafted certificate requests containing specific ANSI control sequences. It is possible to use the sequences to rewrite the order of text displayed to an administrator such that display of an invalid certificate and valid certificate are transposed. If the administrator signs the attacker's certificate, the attacker can then man-in-the-middle the agent. Vulnerability 5 Agents with certnames of IP addresses can be impersonated (low) *Affected Versions: 2.7.x, 2.6.x If an authenticated host with a certname of an IP address changes IP addresses, and a second host assumes the first host's former IP address, the second host will be treated by the puppet master as the first one, giving the second host access to the first host's catalog. Note: This will not be fixed in Puppet versions prior to the forthcoming 3.x. Instead, with this announcement IP-based authentication in Puppet < 3.x is deprecated. # Commits in Fixes # These commits will be in the 2.7.x and 2.6.x branches, respectively. 2.7.x ========= qfd44bf5 Tighten permissions on classfile, resourcefile, lastrunfile, and lastrunreport. 4d7c9fd Use "inspect" when listing certificates bd2820e Don't allow the creation of SSL objects with invalid certnames f341962 Validate CSR CN and provided certname before signing 38c5a4e Add specs for selector terminuses of file_{content,metadata} 9e920a8 Fix whitespace inside parentheses 2d01c2b Use head method to determine if file is in file bucket 40ee670 Always use the local file_bucket on master d881b4b Fail more gracefully when finding module files if no file is specified 20ab0e9 Reject file requests containing .. 10f6cb8 Add Selector terminus for file_content/file_metadata ab9150b Deprecate IP-based authentication d804782 Reject directory traversal in store report processor 2.6.x ========= 554eefc Reject directory traversal in store report processor 9607bd7 Use "inspect" when listing certificates 0144e68 Don't allow the creation of SSL objects with invalid certnames dfedaa5 Validate CSR CN and provided certname before signing 8eb0cd8 Add specs for selector terminuses of file_{content,metadata} 828c16a Fix whitespace inside parentheses e7ef153 Always use the local file_bucket on master 29ae87d Fail more gracefully when finding module files if no file is specified c872619 Reject file requests containing .. c3c7462 Add Selector terminus for file_content/file_metadata If you have any questions or need additional clarification on anything, please respond to distro-maintainers@puppetlabs.com. Thank you, Moses Mendoza Release Engineer, Puppet Labs
Thanks for the report, Matthew.
*** Bug 425846 has been marked as a duplicate of this bug. ***
sorry for delay. 2.7.18 in cvs. please mark stable 2.7.18.
(In reply to comment #3) > sorry for delay. > 2.7.18 in cvs. please mark stable 2.7.18. Thanks. Arches, please test and mark stable: =app-admin/puppet-2.7.18 Target Keywords: "amd64 hppa ppc sparc x86"
x86 stable
Stable for HPPA.
amd64 stable
CVE-2012-3867 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3867): lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences. CVE-2012-3866 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3866): lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml, which allows local users to obtain sensitive configuration information by leveraging access to the puppet master server to read this file. CVE-2012-3865 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3865): Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name. CVE-2012-3864 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3864): Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to read arbitrary files on the puppet master server by leveraging an arbitrary user's certificate and private key in a GET request.
are you sure its stable? vv@crusader /var/db/pkg $ emerge -pvt puppet These are the packages that would be merged, in reverse order: Calculating dependencies | !!! Problem resolving dependencies for app-admin/puppet ... done! !!! The ebuild selected to satisfy "puppet" has unmet requirements. - app-admin/puppet-2.7.18::gentoo USE="-augeas -diff -doc -emacs -ldap -minimal -rrdtool (-selinux) -shadow -sqlite3 -test -vim-syntax -xemacs" RUBY_TARGETS="-ruby18" The following REQUIRED_USE flag constraints are unsatisfied: ruby_targets_ruby18 The above constraints are a subset of the following complete expression: any-of ( ruby_targets_ruby18 ) vv@crusader /var/db/pkg $
(In reply to comment #9) > are you sure its stable? > > > vv@crusader /var/db/pkg $ emerge -pvt puppet > > These are the packages that would be merged, in reverse order: > > Calculating dependencies | > > !!! Problem resolving dependencies for app-admin/puppet > ... done! > > !!! The ebuild selected to satisfy "puppet" has unmet requirements. > - app-admin/puppet-2.7.18::gentoo USE="-augeas -diff -doc -emacs -ldap > -minimal -rrdtool (-selinux) -shadow -sqlite3 -test -vim-syntax -xemacs" > RUBY_TARGETS="-ruby18" > > The following REQUIRED_USE flag constraints are unsatisfied: > ruby_targets_ruby18 > > The above constraints are a subset of the following complete expression: > any-of ( ruby_targets_ruby18 ) > > vv@crusader /var/db/pkg $ same with all puppet ebuilds.
stable does not mean what you say and viceversa. THe error is clear: > The following REQUIRED_USE flag constraints are unsatisfied: > ruby_targets_ruby18 So you need to enable ruby18
(In reply to comment #11) > stable does not mean what you say and viceversa. > > THe error is clear: > > The following REQUIRED_USE flag constraints are unsatisfied: > > ruby_targets_ruby18 > > So you need to enable ruby18 I had to read emerge messages carefully. Sorry for bothering all crowd
ppc stable.
sparc stable
Thanks, folks. GLSA Vote: no.
GLSA vote: no. Closing noglsa.