Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 426282 (CVE-2012-3408) - <app-admin/puppet-2.7.18: Agent Impersonation (CVE-2012-3408)
Summary: <app-admin/puppet-2.7.18: Agent Impersonation (CVE-2012-3408)
Status: RESOLVED FIXED
Alias: CVE-2012-3408
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://puppetlabs.com/security/cve/cv...
Whiteboard: B4 [noglsa]
Keywords:
Depends on: CVE-2012-3864
Blocks:
  Show dependency tree
 
Reported: 2012-07-12 09:03 UTC by taaroa
Modified: 2012-09-19 10:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description taaroa 2012-07-12 09:03:02 UTC
A bug in Puppet allows agents with certnames of IP addresses to be impersonated.
This vulnerability exists in setups where certnames are set to host IP addresses. If an authenticated host with a certname of an IP address changes IP addresses, and a second host assumes the first host’s former IP address, the second host will be treated by the puppet master as the first one, giving the second host access to the first host’s catalog. Note that IP-based authentication will be disabled in Puppet 3.x, but will not be disabled in prior versions. Instead, with this announcement IP-based authentication in Puppet < 3.x is deprecated, and using IP-based authentication in 2.7.x will result in a deprecation warning. This considered a low-risk vulnerability.

Please see the release notes [1] for more details.

[1] http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.18

Reproducible: Always
Comment 1 taaroa 2012-07-14 07:32:22 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3408

Status: CLOSED WONTFIX
Aliases: CVE-2012-3408 

https://bugzilla.redhat.com/show_bug.cgi?id=839166#c5

This was only addressed in 2.7.  It was not really fixed, the change rather introduces deprecation warning:

https://github.com/puppetlabs/puppet/commit/ab9150b

No real fix is planned for this issue in puppet 2.x versions.  Hence no update is planned for Red Hat products that include puppet 2.x versions to address this problem.
Comment 2 Sean Amoss gentoo-dev Security 2012-07-14 21:49:15 UTC
Thanks for the report, taaroa.

We will just mark this bug depending on bug 425112 and finish the process there.
Comment 3 MATSUU Takuto (RETIRED) gentoo-dev 2012-07-20 17:00:45 UTC
sorry for delay.
2.7.18 in cvs. please mark stable 2.7.18.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2012-08-07 01:01:26 UTC
CVE-2012-3408 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3408):
  lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet
  Enterprise before 2.5.2, supports use of IP addresses in certnames without
  warning of potential risks, which might allow remote attackers to spoof an
  agent by acquiring a previously used IP address.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-08-26 14:36:32 UTC
Thanks, folks. GLSA Vote: no.
Comment 6 Sean Amoss gentoo-dev Security 2012-09-19 10:32:32 UTC
GLSA vote: no.

Closing noglsa.