SECURITY: Authorization vulnerability in Puppet 2.6.x

41 views

Skip to first unread message

James Turnbull

unread,

Dec 1, 2010, 4:01:42 PM12/1/10

to puppet-...@googlegroups.com, puppet...@googlegroups.com, puppe...@googlegroups.com, secu...@debian.org, seca...@redhat.com, secu...@fedoraproject.org, ce...@cert.org, s...@us-cert.gov

The Puppet Labs team has identified a security vulnerability in Puppet
version 2.6.0 and later. The vulnerability allows, under certain
circumstances, authenticated Puppet nodes to be able to view or
manipulate resources on other Puppet 2.6.x nodes, including the Puppet
Master.

Versions prior to 2.6.0 are not vulnerable.

Puppet Labs is releasing Puppet 2.6.4 to address this issue. Adding an
auth.conf configuration file if one is not present in your environment
will also provide protection from this issue.

$ cd /etc/puppet
$ wget --no-check-certificate
https://github.com/puppetlabs/puppet/raw/2.6.x/conf/auth.conf

The checksum of this file should be: c34e20b7904b66ea97328f1a3846a848

Detail
------

If a given node or server is missing an auth.conf file in /etc/puppet,
they may be vulnerable to information disclosure or resource
manipulation from authenticated Puppet nodes. In both cases the scope is
limited to the privileges of the remote Puppet process.

Minimum conditions for server

* Running 2.6.0, 2.6.1, 2.6.2, 2.6.3 or any other 2.6.x release missing
the auth.conf file
* Attacker has access to SSL credentials of another node.

Minimum conditions for client

* Running 2.6.0, 2.6.1, 2.6.2, 2.6.3 or any other 2.6.x release missing
auth.conf file
* Attacker has access to SSL credentials of another node.
* Puppet client is running as a daemon (not --onetime)
* Puppet configured in ï¿½listenï¿½ mode with --listen
* Attackerï¿½s host is allowed to connect via namespaceauth.conf

Vulnerable Install Methods

* Install from gems
* Install from Mac packages
* Install from source
* Install from Solaris Blastwave packages

Not Vulnerable Install Methods

* Install from Debian debs
* Install from Red Hat RPMs

Note: If you remove auth.conf, you are vulnerable, regardless of install
method.

To determine if you are vulnerable you can execute the puppet resource
command, like so:

$ puppet resource -H attack.target.mydomain user puppet

Secured (auth.conf present):

(Attack against server requires puppetport specification, against client
does not, assuming default ports. )

$ puppet resource -H attack.target.mydomain user puppet --puppetport 8140
/usr/lib/ruby/1.8/puppet/indirector/rest.rb:57:in `deserialize': Error
403 on SERVER: Forbidden request: attack.host.mydomain (x.x.x.x) access
to /resource/user/ [search] authenticated at line 93 (Net::HTTPError)

Insecure (auth.conf missing):

You get the user info:

$ puppet resource -H attack.target.mydomain user puppet
user { 'puppet':
comment => 'Puppet configuration management daemon,,,', uid => '104',
gid => '107',
home => '/var/lib/puppet',
shell => '/bin/false',
password => '*',
ensure => 'present'
}

If you have any questions, comments or concerns about this issue please
email - secu...@puppetlabs.com.

Regards

James Turnbull

--
Puppet Labs - http://www.puppetlabs.com
C: 503-734-8571

Reply all

Reply to author

Forward

0 new messages