Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 388161 (CVE-2011-3872) - <app-admin/puppet-{2.6.12,2.7.6} puppetmaster impersonation flaw (CVE-2011-3872)
Summary: <app-admin/puppet-{2.6.12,2.7.6} puppetmaster impersonation flaw (CVE-2011-3872)
Status: RESOLVED FIXED
Alias: CVE-2011-3872
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://puppetlabs.com/blog/important-...
Whiteboard: B3 [glsa]
Keywords:
: 388449 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-10-22 22:06 UTC by Matthew Marlowe
Modified: 2012-03-06 01:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Marlowe gentoo-dev 2011-10-22 22:06:10 UTC
(NOTE: Upstream has requested that distributions not disclose vulnerability until announced on their end - do not make this bug public)

Puppet Labs has discovered a critical vulnerability in the SSL
infrastructure behind Puppet.

This vulnerability is not yet public.  Your discretion is required.

# Summary #

An attacker with root-level access to a Puppet agent can use the agent
SSL certificate to impersonate a Puppet Master when communicating with
Puppet clients.

CVE-2011-3872 has been assigned to this vulnerability.

It will be disclosed with remediation procedures to the general public
24 Oct 2011, at 20:00 UTC.

We realize this is short notice, and we’re available to help in any way we can.

# Risk #

If exploited, this vulnerability would allow an attacker to gain
control of all Puppet-managed nodes signed by the same Certificate
Authority (CA).

Note that beyond the updated code base, previously signed certificates
in the wild may still expose users to risk.  A complete remediation
guide and solution will be made available with the general
announcement of the vulnerability at the following location:

http://www.puppetlabs.com/security/cve/cve-2011-3872/


# Fixes #
The easiest solution is to move to the new upstreams available as
2.7.6 or 2.6.12.

Fixing this vulnerability is done with a rather large commit series.
We (Puppet Labs) are happy to help get this patch series applied on
top of your existing packages if your distribution policy mandates you
keep shipping the same version of Puppet.  If you require our
assistance, please let us know as soon as possible, and include what
your version is, and what patches (either from Puppet Labs or your
own) that you are currently applying/carrying.

Puppet Labs has patched this vulnerability and will be releasing new
versions of Puppet that include this fix.

Note that these releases are available early for packaging.  The
upstream tarballs will be available in our normal download locations
after public announcement, and these links may disappear later next
week.

## Puppet 2.7.x ##
-  Puppet 2.7.6 (which was ready to release via our normal process)
includes these fixes.
http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-2.7.6.gem
http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-2.7.6.gem.asc
http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-2.7.6.tar.gz
http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-2.7.6.tar.gz.asc

We are also making available a patch series that applies cleanly via
git am to 2.7.5.

http://puppetlabs-cve-2011-3872.s3.amazonaws.com/CVE-2011-3872-puppet-2.7.5.patch
http://puppetlabs-cve-2011-3872.s3.amazonaws.com/CVE-2011-3872-puppet-2.7.5.patch.asc

## Puppet 2.6.x: ##
-  We are releasing Puppet 2.6.12.  As with previous security release
fixes for the 2.6.x series, this is simply the last release plus these
security fixes.

http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-2.6.12.gem
http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-2.6.12.gem.asc
http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-2.6.12.tar.gz
http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-2.6.12.tar.gz.asc

## Puppet 0.25.x ##
- We are releasing Puppet 0.25.6. This is not just the last release
plus this security fix as we’ve had some repository housecleaning
issues. If your distro policies mean you cannot adopt this release,
let us know and we’ll try to help with a specific patch. We will need
specific versions to go down this path. Alternatively we can give you
a patch that removes certdnsnames functionality altogether that will
be significantly simpler to provide.

There will be no official announcements made about the release of 0.25.6.

http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-0.25.6.tar.gz
http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-0.25.6.tar.gz.asc


## Puppet 0.24.x ##

 -- Puppet Labs will only be providing a patch that removes the
certdnsnames option all together.

http://puppetlabs-cve-2011-3872.s3.amazonaws.com/CVE-2011-3872-0.24.x.patch


## Puppet Enterprise ##

Puppet Enterprise will have hotfixes and updates available as well by
public announcement time.

# Plan of Action #

We ask that you have packages ready to distribute Monday, 24 Oct at
20:00 UTC (13:00 PDT).

If you need any assistance from Puppet Labs to accomplish this,
*please* let us know as early as possible and *we can help*.

Please consider this information CONFIDENTIAL until that such a time.
Further information will be available at
http://www.puppetlabs.com/security/cve/cve-2011-3872/


If you need assistance, or have questions, please let us know.

Michael Stahnke
Release Manager - Puppet Labs
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-10-22 22:15:14 UTC
This time frame is likely too short for a prestabling, but let's try.

matsuu, please prepare an ebuild for 2.6.12 based on the distfile below and attach it to this bug. Do NOT commit anything to CVS until the embargo is lifted. We'll do prestabling on this bug.
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-10-24 20:48:28 UTC
This is public now as per $URL.

matsuu, update now directly to CVS please.
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-10-25 13:31:23 UTC
*** Bug 388449 has been marked as a duplicate of this bug. ***
Comment 4 MATSUU Takuto (RETIRED) gentoo-dev 2011-10-27 02:05:10 UTC
2.6.12 and 2.7.6 in cvs.
please mark stable puppet-2.6.12
Comment 5 Agostino Sarubbo gentoo-dev 2011-10-27 07:41:46 UTC
Thanks.

Arches please test and mark stable:
=app-admin/puppet-2.6.12
target KEYWORDS : "amd64 hppa ppc sparc x86"
Comment 6 Agostino Sarubbo gentoo-dev 2011-10-27 07:49:29 UTC
amd64 ok
Comment 7 Ian Delaney (RETIRED) gentoo-dev 2011-10-28 10:44:22 UTC
ditto Ago
Comment 8 Jeroen Roovers gentoo-dev 2011-10-28 15:41:58 UTC
Stable for HPPA.
Comment 9 Markos Chandras (RETIRED) gentoo-dev 2011-10-29 10:28:50 UTC
amd64 done. Thanks Agostino and Ian
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-30 12:35:53 UTC
x86 stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2011-11-05 19:32:42 UTC
sparc stable
Comment 12 Brent Baude (RETIRED) gentoo-dev 2011-11-06 13:21:59 UTC
ppc done; closing as last arch
Comment 13 Agostino Sarubbo gentoo-dev 2011-11-06 13:27:01 UTC
Please not close security bug.

Added glsa vote request.
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2011-11-06 16:25:01 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2011-11-16 23:30:58 UTC
CVE-2011-3872 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3872):
  Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise
  (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent
  certificate, adds the Puppet master's certdnsnames values to the X.509
  Subject Alternative Name field of the certificate, which allows remote
  attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack
  against an agent that uses an alternate DNS name for the master, aka
  "AltNames Vulnerability."
Comment 16 Sean Amoss gentoo-dev Security 2012-03-02 17:21:30 UTC
On existing GLSA draft.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2012-03-06 01:32:13 UTC
This issue was resolved and addressed in
 GLSA 201203-03 at http://security.gentoo.org/glsa/glsa-201203-03.xml
by GLSA coordinator Sean Amoss (ackle).