On Tue, Oct 25, 2011 at 07:07, Doug Warner <d...@warner.fm> wrote: > On 10/24/2011 04:02 PM, Michael Stahnke wrote: >> We have discovered a security vulnerability (“AltNames Vulnerability”) >> whereby a malicious attacker can impersonate the Puppet master using >> credentials from a Puppet agent node. This vulnerability cannot cross >> Puppet deployments, but it can allow an attacker with elevated >> privileges on one Puppet-managed node to gain control of any other >> Puppet-managed node within the same infrastructure. >> >> All Puppet Enterprise deployments are vulnerable, and Puppet open >> source deployments may be, depending upon their site configuration. > > As far as my understanding goes, I *should* be affected by this CVE, but don't > appear to be. I'm: > > * running puppet 0.25.5 (nginx/mongrel) > * I use certdnsnames to specify alternative names in my [puppetmaster] section > of my puppet.conf > * all my nodes connect to one of the alternative names in their [puppet] > section's "server" line > > I only write the [puppetmaster] section in the puppet.conf file on my puppet > master server; are the subjectAltNames only added to the certificate request > if the config is present on the client nodes?
Before the patch the subjectAltName field was never added to the certificate *request*; we added it on the master, based on the `certdnsnames` setting in the configuration file there. After the change the names will be added to the CSR. So, you need to check the actual signed certificates to find out if you are vulnerable or not. Daniel -- ⎋ Puppet Labs Developer – http://puppetlabs.com ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
