(NOTE: Upstream has requested that distributions not disclose vulnerability until announced on their end - do not make this bug public) Puppet Labs has discovered a critical vulnerability in the SSL infrastructure behind Puppet. This vulnerability is not yet public. Your discretion is required. # Summary # An attacker with root-level access to a Puppet agent can use the agent SSL certificate to impersonate a Puppet Master when communicating with Puppet clients. CVE-2011-3872 has been assigned to this vulnerability. It will be disclosed with remediation procedures to the general public 24 Oct 2011, at 20:00 UTC. We realize this is short notice, and we’re available to help in any way we can. # Risk # If exploited, this vulnerability would allow an attacker to gain control of all Puppet-managed nodes signed by the same Certificate Authority (CA). Note that beyond the updated code base, previously signed certificates in the wild may still expose users to risk. A complete remediation guide and solution will be made available with the general announcement of the vulnerability at the following location: http://www.puppetlabs.com/security/cve/cve-2011-3872/ # Fixes # The easiest solution is to move to the new upstreams available as 2.7.6 or 2.6.12. Fixing this vulnerability is done with a rather large commit series. We (Puppet Labs) are happy to help get this patch series applied on top of your existing packages if your distribution policy mandates you keep shipping the same version of Puppet. If you require our assistance, please let us know as soon as possible, and include what your version is, and what patches (either from Puppet Labs or your own) that you are currently applying/carrying. Puppet Labs has patched this vulnerability and will be releasing new versions of Puppet that include this fix. Note that these releases are available early for packaging. The upstream tarballs will be available in our normal download locations after public announcement, and these links may disappear later next week. ## Puppet 2.7.x ## - Puppet 2.7.6 (which was ready to release via our normal process) includes these fixes. http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-2.7.6.gem http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-2.7.6.gem.asc http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-2.7.6.tar.gz http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-2.7.6.tar.gz.asc We are also making available a patch series that applies cleanly via git am to 2.7.5. http://puppetlabs-cve-2011-3872.s3.amazonaws.com/CVE-2011-3872-puppet-2.7.5.patch http://puppetlabs-cve-2011-3872.s3.amazonaws.com/CVE-2011-3872-puppet-2.7.5.patch.asc ## Puppet 2.6.x: ## - We are releasing Puppet 2.6.12. As with previous security release fixes for the 2.6.x series, this is simply the last release plus these security fixes. http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-2.6.12.gem http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-2.6.12.gem.asc http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-2.6.12.tar.gz http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-2.6.12.tar.gz.asc ## Puppet 0.25.x ## - We are releasing Puppet 0.25.6. This is not just the last release plus this security fix as we’ve had some repository housecleaning issues. If your distro policies mean you cannot adopt this release, let us know and we’ll try to help with a specific patch. We will need specific versions to go down this path. Alternatively we can give you a patch that removes certdnsnames functionality altogether that will be significantly simpler to provide. There will be no official announcements made about the release of 0.25.6. http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-0.25.6.tar.gz http://puppetlabs-cve-2011-3872.s3.amazonaws.com/puppet-0.25.6.tar.gz.asc ## Puppet 0.24.x ## -- Puppet Labs will only be providing a patch that removes the certdnsnames option all together. http://puppetlabs-cve-2011-3872.s3.amazonaws.com/CVE-2011-3872-0.24.x.patch ## Puppet Enterprise ## Puppet Enterprise will have hotfixes and updates available as well by public announcement time. # Plan of Action # We ask that you have packages ready to distribute Monday, 24 Oct at 20:00 UTC (13:00 PDT). If you need any assistance from Puppet Labs to accomplish this, *please* let us know as early as possible and *we can help*. Please consider this information CONFIDENTIAL until that such a time. Further information will be available at http://www.puppetlabs.com/security/cve/cve-2011-3872/ If you need assistance, or have questions, please let us know. Michael Stahnke Release Manager - Puppet Labs
This time frame is likely too short for a prestabling, but let's try. matsuu, please prepare an ebuild for 2.6.12 based on the distfile below and attach it to this bug. Do NOT commit anything to CVS until the embargo is lifted. We'll do prestabling on this bug.
This is public now as per $URL. matsuu, update now directly to CVS please.
*** Bug 388449 has been marked as a duplicate of this bug. ***
2.6.12 and 2.7.6 in cvs. please mark stable puppet-2.6.12
Thanks. Arches please test and mark stable: =app-admin/puppet-2.6.12 target KEYWORDS : "amd64 hppa ppc sparc x86"
amd64 ok
ditto Ago
Stable for HPPA.
amd64 done. Thanks Agostino and Ian
x86 stable
sparc stable
ppc done; closing as last arch
Please not close security bug. Added glsa vote request.
Thanks, everyone. GLSA Vote: yes.
CVE-2011-3872 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3872): Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."
On existing GLSA draft.
This issue was resolved and addressed in GLSA 201203-03 at http://security.gentoo.org/glsa/glsa-201203-03.xml by GLSA coordinator Sean Amoss (ackle).