The Puppet Labs team has identified a security vulnerability in Puppet version 2.6.0 and later. The vulnerability allows, under certain circumstances, authenticated Puppet nodes to be able to view or manipulate resources on other Puppet 2.6.x nodes, including the Puppet Master.
Versions prior to 2.6.0 are not vulnerable. Puppet Labs is releasing Puppet 2.6.4 to address this issue. Adding an auth.conf configuration file if one is not present in your environment will also provide protection from this issue. $ cd /etc/puppet $ wget --no-check-certificate https://github.com/puppetlabs/puppet/raw/2.6.x/conf/auth.conf The checksum of this file should be: c34e20b7904b66ea97328f1a3846a848 Detail ------ If a given node or server is missing an auth.conf file in /etc/puppet, they may be vulnerable to information disclosure or resource manipulation from authenticated Puppet nodes. In both cases the scope is limited to the privileges of the remote Puppet process. Minimum conditions for server * Running 2.6.0, 2.6.1, 2.6.2, 2.6.3 or any other 2.6.x release missing the auth.conf file * Attacker has access to SSL credentials of another node. Minimum conditions for client * Running 2.6.0, 2.6.1, 2.6.2, 2.6.3 or any other 2.6.x release missing auth.conf file * Attacker has access to SSL credentials of another node. * Puppet client is running as a daemon (not --onetime) * Puppet configured in “listen” mode with --listen * Attacker’s host is allowed to connect via namespaceauth.conf Vulnerable Install Methods * Install from gems * Install from Mac packages * Install from source * Install from Solaris Blastwave packages Not Vulnerable Install Methods * Install from Debian debs * Install from Red Hat RPMs Note: If you remove auth.conf, you are vulnerable, regardless of install method. To determine if you are vulnerable you can execute the puppet resource command, like so: $ puppet resource -H attack.target.mydomain user puppet Secured (auth.conf present): (Attack against server requires puppetport specification, against client does not, assuming default ports. ) $ puppet resource -H attack.target.mydomain user puppet --puppetport 8140 /usr/lib/ruby/1.8/puppet/indirector/rest.rb:57:in `deserialize': Error 403 on SERVER: Forbidden request: attack.host.mydomain (x.x.x.x) access to /resource/user/ [search] authenticated at line 93 (Net::HTTPError) Insecure (auth.conf missing): You get the user info: $ puppet resource -H attack.target.mydomain user puppet user { 'puppet': comment => 'Puppet configuration management daemon,,,', uid => '104', gid => '107', home => '/var/lib/puppet', shell => '/bin/false', password => '*', ensure => 'present' } If you have any questions, comments or concerns about this issue please email - secur...@puppetlabs.com. Regards James Turnbull -- Puppet Labs - http://www.puppetlabs.com C: 503-734-8571 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
