Date: 13 March 2013
References: ESB-2013.0481
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0381
puppet security update
13 March 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: puppet
Publisher: Debian
Operating System: UNIX variants (UNIX, Linux, OSX)
Debian GNU/Linux 6
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Reduced Security -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2013-2275 CVE-2013-2274 CVE-2013-1655
CVE-2013-1654 CVE-2013-1653 CVE-2013-1652
CVE-2013-1640
Original Bulletin:
http://www.debian.org/security/2013/dsa-2643
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running puppet check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2643-1 security@debian.org
http://www.debian.org/security/ Yves-Alexis Perez
March 12, 2013 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : puppet
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-1640 CVE-2013-1652 CVE-2013-1653 CVE-2013-1654
CVE-2013-1655 CVE-2013-2274 CVE-2013-2275
Debian Bug :
Multiple vulnerabilities were discovered in Puppet, a centralized
configuration management system.
CVE-2013-1640
An authenticated malicious client may request its catalog from the puppet
master, and cause the puppet master to execute arbitrary code. The puppet
master must be made to invoke the `template` or `inline_template` functions
during catalog compilation.
CVE-2013-1652
An authenticated malicious client may retrieve catalogs from the puppet
master that it is not authorized to access. Given a valid certificate and
private key, it is possible to construct an HTTP GET request that will
return a catalog for an arbitrary client.
CVE-2013-1653
An authenticated malicious client may execute arbitrary code on Puppet
agents that accept kick connections. Puppet agents are not vulnerable in
their default configuration. However, if the Puppet agent is configured to
listen for incoming connections, e.g. listen = true, and the agent's
auth.conf allows access to the `run` REST endpoint, then an authenticated
client can construct an HTTP PUT request to execute arbitrary code on the
agent. This issue is made worse by the fact that puppet agents typically
run as root.
CVE-2013-1654
A bug in Puppet allows SSL connections to be downgraded to SSLv2, which is
known to contain design flaw weaknesses This affects SSL connections
between puppet agents and master, as well as connections that puppet agents
make to third party servers that accept SSLv2 connections. Note that SSLv2
is disabled since OpenSSL 1.0.
CVE-2013-1655
An unauthenticated malicious client may send requests to the puppet master,
and have the master load code in an unsafe manner. It only affects users
whose puppet masters are running ruby 1.9.3 and above.
CVE-2013-2274
An authenticated malicious client may execute arbitrary code on the
puppet master in its default configuration. Given a valid certificate and
private key, a client can construct an HTTP PUT request that is authorized
to save the client's own report, but the request will actually cause the
puppet master to execute arbitrary code.
CVE-2013-2275
The default auth.conf allows an authenticated node to submit a report for
any other node, which is a problem for compliance. It has been made more
restrictive by default so that a node is only allowed to save its own
report.
For the stable distribution (squeeze), these problems have been fixed in
version 2.6.2-5+squeeze7.
For the testing distribution (wheezy), these problems have been fixed in
version 2.7.18-3.
For the unstable distribution (sid), these problems have been fixed in
version 2.7.18-3.
We recommend that you upgrade your puppet packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQEcBAEBCgAGBQJRP7CzAAoJEG3bU/KmdcClzGIIAI90dF51SNHLGAIImu6vXJd2
4PII5l3AeAyL8f7HQWqVgFYrockwsCazs/vgqPdwfDEAnon2C/I4FvpehJo5hd5y
dFH01a7KYEvgG1okfiuDk+Pe3AEQsJSbBSyhA/Yw4Uix4wk508TWjvUAUMjRnUn5
yO0dB3b3hj4xgESmKtlXbHpjeQaaVOh5emXLuaV5V9mxCCN0fedIqjKxWd4vN4E9
l7hin1DzuxwkwoKeCGDOjKcSShpHAvwspTsUFZMhcU33Mu2an5j0QgPBhiQthJ1r
5uNeOYyYq+DVD0wjO++Lo2KwUayQUOriL+6y1BUvheyc/o+408/jppJ1JLjIWyg=
=Z1A4
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUT/zae4yVqjM2NGpAQJQeg/9ERWbVRBMU5hfnDY4ONAfDVF/SRElXnia
iNY+VZp/iBROvPv3aLk8CaNdHLbtOT11KbbhmdpETwjU9VpHVu1Cyb9c7Ysa26wJ
fkj2Xkg6bdVUUspL6euJEpUWTdpLRayvKuUVCLVsDWumO4QNMIIvCuqs/Rj1IfWc
l2tbhRnK1+59/w1c4f+9gXSw8x6KJoREV40p/oJl/8as2Fhr4vqiNNDGEwGfPBak
wfjOZE7ZHC2iOfIntCJZCWA01afgySIeLXkFURxOlBFv4MMiCrmtLrMUF6jmTxlM
RC5TFjYJiSWVdQwYq45aloIo4nnCIMD5UV+Ey5Roi3XSJyqOBfdYzXFhgZ+Lo6t0
I4z1DBSM+mVCcp1NT2MLAPzlQC767E55/fponqPc0qNFUFxuXcpxWG9ETUXDAlfz
0HzGmvaoLgwrLXOoTh2t4r0iSarARabB6qb9A15a9wsL/YZ9E2BYPqaQdKY5NKX2
dlfBtTAzUHdzFY/H4+hFeG7UF72jCwL0FEFiv/vMLm92Aq41MXAyG2QgyAsdLWs5
t7KF/maOhxqT9Jl6r4ozvPwlZAr8DpokDiMyDKemnyRE+YkQHid4BbEFKUZhYFpy
C6/3HKBT413kvfUIg74di2ybgZiqiVsBHMMnf2cB3HPaoX2DcAk9RPu5qSt0dMId
lcFOSrcYuV4=
=kuC7
-----END PGP SIGNATURE-----
|