Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 517286 - <app-admin/mcollective-2.5.3: Unauthorized access to MCO via AES Security Plugin (CVE-2014-3251)
Summary: <app-admin/mcollective-2.5.3: Unauthorized access to MCO via AES Security Plu...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-17 06:41 UTC by Matthew Thode ( prometheanfire )
Modified: 2014-12-13 17:50 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-07-17 06:41:22 UTC
CVE Identifier: CVE-2014-3251
Unauthorized access to MCO via AES Security Plugin

The MCollective `aes_security` public key plugin does not correctly
validate certs against the CA. By exploiting this vulnerability within
a race/initialization window, an attacker with local access could
initiate an unauthorized MCollective client connection with a server,
and thus control the mcollective plugins running on that server. This
vulnerability requires a collective be configured to use the
aes_security plugin. Puppet Enterprise and open source MCollective are
not configured to use the plugin and are not vulnerable by default.

We have assigned this vulnerability CVSSv2 score 3.4, with vector
AV:L/AC:H/Au:M/C:P/I:N/A:C/E:POC/RL:OF/RC:C.

Affected software versions:
Mcollective (all, not configured by default)

Resolved in pending releases:
MCollective 2.5.3

Reproducible: Always
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-07-17 06:42:42 UTC
Arches, please test and mark stable the following

=app-admin/mcollective-2.5.3 amd64 x86
Comment 2 Andreas Schürch gentoo-dev 2014-08-08 14:22:23 UTC
x86 stable, thanks.
Comment 3 Agostino Sarubbo gentoo-dev 2014-08-09 16:42:19 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-08-17 05:05:10 UTC
CVE-2014-3251 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3251):
  The MCollective aes_security plugin, as used in Puppet Enterprise before
  3.3.0 and Mcollective before 2.5.3, does not properly validate new server
  certificates based on the CA certificate, which allows local users to
  establish unauthorized Mcollective connections via unspecified vectors
  related to a race condition.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-08-17 05:09:26 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).

Added to existing GLSA Request
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 17:50:31 UTC
This issue was resolved and addressed in
 GLSA 201412-15 at http://security.gentoo.org/glsa/glsa-201412-15.xml
by GLSA coordinator Sean Amoss (ackle).