CVE Identifier: CVE-2014-3251
Unauthorized access to MCO via AES Security Plugin
The MCollective `aes_security` public key plugin does not correctly
validate certs against the CA. By exploiting this vulnerability within
a race/initialization window, an attacker with local access could
initiate an unauthorized MCollective client connection with a server,
and thus control the mcollective plugins running on that server. This
vulnerability requires a collective be configured to use the
aes_security plugin. Puppet Enterprise and open source MCollective are
not configured to use the plugin and are not vulnerable by default.
We have assigned this vulnerability CVSSv2 score 3.4, with vector
Affected software versions:
Mcollective (all, not configured by default)
Resolved in pending releases:
Arches, please test and mark stable the following
=app-admin/mcollective-2.5.3 amd64 x86
x86 stable, thanks.
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
The MCollective aes_security plugin, as used in Puppet Enterprise before
3.3.0 and Mcollective before 2.5.3, does not properly validate new server
certificates based on the CA certificate, which allows local users to
establish unauthorized Mcollective connections via unspecified vectors
related to a race condition.
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).
Added to existing GLSA Request
This issue was resolved and addressed in
GLSA 201412-15 at http://security.gentoo.org/glsa/glsa-201412-15.xml
by GLSA coordinator Sean Amoss (ackle).