CVE Identifier: CVE-2014-3251 Unauthorized access to MCO via AES Security Plugin The MCollective `aes_security` public key plugin does not correctly validate certs against the CA. By exploiting this vulnerability within a race/initialization window, an attacker with local access could initiate an unauthorized MCollective client connection with a server, and thus control the mcollective plugins running on that server. This vulnerability requires a collective be configured to use the aes_security plugin. Puppet Enterprise and open source MCollective are not configured to use the plugin and are not vulnerable by default. We have assigned this vulnerability CVSSv2 score 3.4, with vector AV:L/AC:H/Au:M/C:P/I:N/A:C/E:POC/RL:OF/RC:C. Affected software versions: Mcollective (all, not configured by default) Resolved in pending releases: MCollective 2.5.3 Reproducible: Always
Arches, please test and mark stable the following =app-admin/mcollective-2.5.3 amd64 x86
x86 stable, thanks.
amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
CVE-2014-3251 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3251): The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). Added to existing GLSA Request
This issue was resolved and addressed in GLSA 201412-15 at http://security.gentoo.org/glsa/glsa-201412-15.xml by GLSA coordinator Sean Amoss (ackle).