A bug in Puppet allows agents with certnames of IP addresses to be impersonated. This vulnerability exists in setups where certnames are set to host IP addresses. If an authenticated host with a certname of an IP address changes IP addresses, and a second host assumes the first host’s former IP address, the second host will be treated by the puppet master as the first one, giving the second host access to the first host’s catalog. Note that IP-based authentication will be disabled in Puppet 3.x, but will not be disabled in prior versions. Instead, with this announcement IP-based authentication in Puppet < 3.x is deprecated, and using IP-based authentication in 2.7.x will result in a deprecation warning. This considered a low-risk vulnerability. Please see the release notes [1] for more details. [1] http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.18 Reproducible: Always
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3408 Status: CLOSED WONTFIX Aliases: CVE-2012-3408 https://bugzilla.redhat.com/show_bug.cgi?id=839166#c5 This was only addressed in 2.7. It was not really fixed, the change rather introduces deprecation warning: https://github.com/puppetlabs/puppet/commit/ab9150b No real fix is planned for this issue in puppet 2.x versions. Hence no update is planned for Red Hat products that include puppet 2.x versions to address this problem.
Thanks for the report, taaroa. We will just mark this bug depending on bug 425112 and finish the process there.
sorry for delay. 2.7.18 in cvs. please mark stable 2.7.18.
CVE-2012-3408 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3408): lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.
Thanks, folks. GLSA Vote: no.
GLSA vote: no. Closing noglsa.