Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 461656 (CVE-2013-1640) - <app-admin/puppet-2.7.21: multiple vulnerabilities (CVE-2013-{1640,1652,1653,1654,1655,2274,2275})
Summary: <app-admin/puppet-2.7.21: multiple vulnerabilities (CVE-2013-{1640,1652,1653,...
Status: RESOLVED FIXED
Alias: CVE-2013-1640
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/52596/
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-13 17:11 UTC by Agostino Sarubbo
Modified: 2013-08-23 18:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-03-13 17:11:26 UTC
From ${URL} :

Description
Multiple vulnerabilities have been reported in Puppet, which can be exploited by malicious users to disclose potentially sensitive information and compromise a vulnerable 
system and by malicious people to compromise a vulnerable system.

1) An unspecified error exists when invoking the "template" or "inline_template" functions while responding to a catalog request and can be exploited to execute arbitrary 
code via a specially crafted catalog request.

2) An input validation error exists in the application and can be exploited to e.g. gain unauthorized access to arbitrary catalogs from the master.

3) An unspecified error exists in the application and can be exploited to execute arbitrary code on agents via a specially crafted HTTP request.

Successful exploitation of this vulnerability requires listening for incoming connections and permission to access the "run" REST endpoint (disabled by default).

4) An error when handling serialized attributes can be exploited to execute arbitrary code.

5) An unspecified error exists in the application and can be exploited to execute arbitrary code via a specially crafted HTTP PUT request.

Successful exploitation of this vulnerability on an agent requires "puppet kick" to be enabled.

Please see the vendor's advisories for a list of affected versions.


Solution
Update to a fixed version.
Further details available to Secunia VIM customers

Provided and/or discovered by
Reported by the vendor.

Original Advisory
Puppet:
https://puppetlabs.com/blog/security-updates-new-releases-of-puppet-and-puppet-enterprise/
https://puppetlabs.com/security/cve/cve-2013-1640/
https://puppetlabs.com/security/cve/cve-2013-1652/
https://puppetlabs.com/security/cve/cve-2013-1653/
https://puppetlabs.com/security/cve/cve-2013-1655/
https://puppetlabs.com/security/cve/cve-2013-2274/
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-03-13 17:38:46 UTC
removed unstable from tree, added 2.7.21 and 3.1.1 (have fixes).

CCing arch teams for rapid stabilization of 2.7.21 so we can remove the bad stable from tree.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2013-03-13 18:05:11 UTC
Arch teams, please test and mark stable:
=app-admin/puppet-2.7.21
Stable KEYWORDS : amd64 hppa ppc sparc x86
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2013-03-13 18:55:58 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2013-03-14 13:21:58 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-03-14 13:24:21 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-03-14 15:10:04 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-03-17 16:02:22 UTC
sparc stable
Comment 8 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-03-17 16:11:43 UTC
removed =app-admin/puppet-2.7.18 and =app-admin/puppet-2.7.19-r1 (old an jankey)
since =app-admin/puppet-2.7.21 is stable (new hotness)

removing myself from CC's
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-17 21:40:14 UTC
Thanks, everyone.

New GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-03-21 18:47:58 UTC
CVE-2013-2275 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2275):
  The default configuration for puppet masters 0.25.0 and later in Puppet
  before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet
  Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated
  nodes to submit reports for other nodes via unspecified vectors.

CVE-2013-2274 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2274):
  Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows
  remote authenticated users to execute arbitrary code on the puppet master,
  or an agent with puppet kick enabled, via a crafted request for a report.

CVE-2013-1655 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1655):
  Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3
  or later, allows remote attackers to execute arbitrary code via vectors
  related to "serialized attributes."

CVE-2013-1654 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1654):
  Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise
  2.7.x before 2.7.2, does not properly negotiate the SSL protocol between
  client and master, which allows remote attackers to conduct SSLv2 downgrade
  attacks against SSLv3 sessions via unspecified vectors.

CVE-2013-1653 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1653):
  Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and
  Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, when listening for
  incoming connections is enabled and allowing access to the "run" REST
  endpoint is allowed, allows remote authenticated users to execute arbitrary
  code via a crafted HTTP request.

CVE-2013-1652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1652):
  Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and
  Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote
  authenticated users with a valid certificate and private key to read
  arbitrary catalogs or poison the master's cache via unspecified vectors.

CVE-2013-1640 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1640):
  The (1) template and (2) inline_template functions in the master server in
  Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and
  Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote
  authenticated users to execute arbitrary code via a crafted catalog request.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-08-23 18:44:07 UTC
This issue was resolved and addressed in
 GLSA 201308-04 at http://security.gentoo.org/glsa/glsa-201308-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).