copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ASB-2014.0079 - [UNIX/Linux] Puppet Enterprise & Mcollective: Access privileged data - Remote/unauthenticated

Date: 21 July 2014
References: ESB-2014.1207  ESB-2014.1215  ESB-2014.1224  ESB-2014.1225.2  ESB-2014.1248  ESB-2014.1249  ESB-2014.1259  ESB-2014.1265  ESB-2014.1277  ESB-2014.1299.2  
ESB-2014.1303  ESB-2014.1314  ESB-2014.1315  ESB-2014.1318  ESB-2014.1357  ESB-2014.1366  ESB-2014.1382  ESB-2014.1386  ESB-2014.1526  ESB-2014.2145  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0079
          Multiple vulnerabilities have been identified in Puppet
                Enterprise (3.2, 2.8) and Mcollective (all)
                               21 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Puppet Enterprise
                      Mcollective
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Access Privileged Data         -- Remote/Unauthenticated
                      Denial of Service              -- Remote/Unauthenticated
                      Provide Misleading Information -- Remote/Unauthenticated
                      Unauthorised Access            -- Existing Account      
Resolution:           Patch/Upgrade
Member content until: Wednesday, August 20 2014

OVERVIEW

        Multiple vulnerabilities have been identified in Puppet Enterprise 
        (3.2, 2.8) and Mcollective (all). [1 - 3]


IMPACT

        The vendor has provided the following details regarding two 
        vulnerabilities:
        
        "CVE-2014-0198 (OpenSSL vulnerability could allow denial of service
        attack)
        
        Due to a vulnerability in OpenSSL versions 1.0.0 and 1.0.1, if 
        SSL_MODE_RELEASE_BUFFERS is enabled, an attacker could cause a 
        denial of service. This affected agents running on the followning 
        operating systems: Solaris 10, Windows, and AIX."[1]
        
        "CVE-2014-0224 (OpenSSL vulnerability in secure communications)
        
        Due to a vulnerability in OpenSSL versions 1.0.1 and later, an 
        attacker could intercept and decrypt secure communications. This 
        vulnerability requires that both the client and server be running an
        unpatched version of OpenSSL. Unlike heartbleed, this attack vector
        occurs after the initial handshake, which means ecnryption keys are
        not compromised. However, puppet encrypts catalogs for transmission
        to agents, so puppet manifests containing sensitive information 
        could have been intercepted. We advise all users to avoid including
        sensitive information in catalogs. This affects agents running on 
        the followning operating systems: Solaris 10, Windows, and AIX.
        
        Users of Puppet Enterprise 2.8.7 are strongly advised to update 
        OpenSSL on their Puppet Master to the latest version (fixed by 
        distros in all supported PE master platforms). Puppet Enterprise 
        3.3.0 includes a patched version of OpenSSL." [2]
        
        "CVE-2014-3251 (MCollective 'aes_security' Plugin Certificate 
        Validation)
        
        The MCollective `aes_security` public key plugin did not correctly 
        validate new server certs against the CA certificate. By exploiting
        this vulnerability within a specific race condition window, an 
        attacker with local access could initiate an unauthorized 
        Mcollective client connection with a server. Note that this 
        vulnerability requires a collective be configured to use the 
        aes_security plugin. Puppet Enterprise and open source Mcollective 
        are not configured to use the plugin and are not vulnerable by 
        default.
        
        Acknowledgement for the responsible disclosure of this vulnerability
        to Puppet Labs
        
            Mark Chappell" [3]


MITIGATION

        The vendor recommends updating to the latest versions of Puppet
        Enterprise and Mcollective to correct these issues. [1, 3]


REFERENCES

        [1] CVE-2014-0198 (OpenSSL vulnerability could allow denial of service
            attack)
            http://puppetlabs.com/security/cve/cve-2014-0198

        [2] CVE-2014-0224 (OpenSSL vulnerability in secure communications)
            http://puppetlabs.com/security/cve/cve-2014-0224

        [3] CVE-2014-3251 (MCollective 'aes_security' Plugin Certificate
            Validation)
            http://puppetlabs.com/security/cve/cve-2014-3251

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU8yGLBLndAQH1ShLAQIEoRAApsVanIzVlcoXyQOWq0e0L+Rp26SaUXCS
x7OlAwpWYRTzgmfHey600XJ0vzmO3+exocsYtRQDhEJ04GuLyxUC0MpZV9cHVXLV
sTizv1zTT7aMZaRjRtt1CJg+j91Q6lguGGFqVN5+/IJFwVhd5NOpoGqLi9Pq5qUq
FSmF9M7btrAI2xVcqdLzYj0SicKNf4L8KE99ERmYHTNHdZcOTra5R/YkhQiS+BfR
plaa1qHl4IUaqIBciYN+McU4CvLU1Rr9UtlLDoB9cZkIULp6J3JdZq6Ruzz3mlcN
mUCliA4e86bmQzi8CCDeEJMW48HPMh1fxw1VkGkuQLsYscejzLeTWjcwJavgBmI+
UgsErSopx2v5cFzIMtH0k0tW6cE+EwiOPlxiE2rQlrSVL0EqQOZaLMRi1mo/e4Sk
xurPwTo1o0lkdmXT1/rCOlK2J/+a7R9yJgNu1VxO0ZYPBrohdhxiivNCBXziiHOa
clOxOCJ0DTIH41NWHcDXAFyO19jLqj3nbNTSAEMp095B2d1qRVIFNvNdjb6QFQy+
skkSa0cFrWgY3Tyr9yaoIdzhJpXT6rwZrgKXFx0RaQ9/YGuX4oI4Uaubxzk1Unmh
K1r6CHdCx9JMPZx959a3vvQbjD27oTk65X7mCasR4l1bOE55GBQFDFpPSx2qyHuo
9Z5txsfc9JI=
=OGSc
-----END PGP SIGNATURE-----