Date: 11 February 2013
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0019
A number of vulnerabilities have been identified in Puppet
11 February 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Puppet
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Privileged Data -- Existing Account
Cross-site Request Forgery -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2013-1399 CVE-2013-1398
Member content until: Wednesday, March 13 2013
OVERVIEW
Multiple vulnerabilities have been identified in Puppet Enterprise
prior to version 2.7.1. [1, 2]
IMPACT
The vendor has provided the following details regarding two
vulnerabilities which affect versions 2.0 and later prior to version
2.7.1:
"CVE-2013-1398 (MCO Private Key Leak)
Posted February 6, 2013
Under certain circumstances, a user with root access to a single node
in a PE deployment could possibly manipulate that client's local facts
in order to force the pe_mcollective module to deliver a catalog
containing SSL keys. These keys could be used to access other nodes in
the collective and send them arbitrary commands as root.
This vulnerability affects the master role of Puppet Enterprise." [1]
"CVE-2013-1399 (Console CSRF Vulnerability):
Posted February 6, 2013
Several components of the Puppet Enterprise console were vulnerable to
CSRF attacks.
Cross site request forgery (CSRF) protection has been added to the
following areas of the PE console: node request management, live
management, and user administration. Now, basically every HTML form
submitted to a server running one of these services gets a randomly
generated token whose authenticity is compared against a token stored by
the session of the currently logged-in user. Requests with tokens that
do not authenticate (or are not present) will be answered with a
"403 Forbidden" HTML status.
One exception to the CSRF protection model are HTTP requests that use
basic HTTP user authorization. These are treated as API requests and,
since by definition they include a valid (or not) username and password,
they are considered secure.
Note that the Rails-based puppet dashboard application is not vulnerable
due to Rail's built in CSRF protection.
This vulnerability affects the console role of Puppet Enterprise." [2]
MITIGATION
The vendor recommends updating to the latest versions of Puppet
Enterprise to correct these issues. [1, 2]
REFERENCES
[1] CVE-2013-1398
https://puppetlabs.com/security/cve/cve-2013-1398/
[2] CVE-2013-1399
https://puppetlabs.com/security/cve/cve-2013-1399/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBURiDMO4yVqjM2NGpAQJIwA/9GyxtaMmV45+dlZcTl1PkRfn6qZ0a9Qkj
tM4mUynLCIUM00kqorYUZ+cGsNMBHPY1wAb0mrXq/gred5kzcpV5Ch6fmFqr6qXt
YsaQDGvGdoQjjB24W++822Wuq1gidpDQ6+c0P4WEEwb8QFpysGYQmABDrqQggKBo
/CzI0bhPea8/fwlttPwgl8EQTh9u2hQYr+FaYMXWEY851TSWSvvkV8S27C5le6n7
mzpuLz+x5B2LooGoZS+WRcUC9bclt1cGQk0ENxnhJxE9q+osm9MPPlONhzHRMmD2
AT8Xr1JcDezrZgZy61AUIkJPbyx0EDY5y1Q9fjiZrR4guad9Q1CP0xa+3ML7QxkV
BS5zMNd26V+x+IEbdBMDXxk45aHM05PK+JOlydim8u1jTQ5IxV96XzZ4Ev3zac0H
9iIVc8CeH4wePF6dfshTNu83AOE6qoJUr4reADIGo2bbXQEBpdbm2JDUoKuhymiW
a4xQCgxjHzRFEe8dGeR3a/0S8gwE1tAu2q+5VWSmuMzXLxfuenQth+jrT0PB8iLg
qXseSvalTvlsY5sh9q/M1VSqpJQnrpH3IMgXsaJr9eN3OPRhrayIyRfNhVUzxY98
9Zhh4fdKzkivJsncryiNUmsHcwEEPh4q4qpsW8dxqUPNJRPrSGlpfLhatlYAcSG/
eVOYOvdcYQY=
=2wQz
-----END PGP SIGNATURE-----
|