6.3 - DSA-2314

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	puppet security update

Informations
Name	DSA-2314	First vendor Publication	2011-10-03
Vendor	Debian	Last vendor Modification	2011-10-03
Severity (Vendor)	N/A	Revision	1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:M/Au:N/C:N/I:C/A:C)
Cvss Base Score	6.3	Attack Range	Local
Cvss Impact Score	9.2	Attack Complexity	Medium
Cvss Expoit Score	3.4	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Multiple security issues have been discovered in puppet, a centralized configuration management system. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2011-3848

Kristian Erik Hermansen reported that an unauthenticated directory traversal could drop any valid X.509 Certificate Signing Request at any location on disk, with the privileges of the Puppet Master application.

CVE-2011-3870

Ricky Zhou discovered a potential local privilege escalation in the ssh_authorized_keys resource and theoretically in the Solaris and AIX providers, where file ownership was given away before it was written, leading to a possibility for a user to overwrite arbitrary files as root, if their authorized_keys file was managed.

CVE-2011-3869

A predictable file name in the k5login type leads to the possibility of symlink attacks which would allow the owner of the home directory to symlink to anything on the system, and have it replaced with the "correct" content of the file, which can lead to a privilege escalation on puppet runs.

CVE-2011-3871

A potential local privilege escalation was found in the --edit mode of 'puppet resource' due to a persistant, predictable file name, which can result in editing an arbitrary target file, and thus be be tricked into running that arbitrary file as the invoking user. This command is most commonly run as root, this leads to a potential privilege escalation.

Additionally, this update hardens the indirector file backed terminus base class against injection attacks based on trusted path names.

For the oldstable distribution (lenny), this problem will be fixed soon.

For the stable distribution (squeeze), this problem has been fixed in version 2.6.2-5+squeeze1.

For the testing distribution (wheezy), this has been fixed in version 2.7.3-3.

For the unstable distribution (sid), this problem has been fixed in version 2.7.3-3.

We recommend that you upgrade your puppet packages.

Original Source

Url : http://www.debian.org/security/2011/dsa-2314

CWE : Common Weakness Enumeration

%	Id	Name
50 %	CWE-59	Improper Link Resolution Before File Access ('Link Following')
25 %	CWE-264	Permissions, Privileges, and Access Controls
25 %	CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:15153

Oval ID:	oval:org.mitre.oval:def:15153
Title:	DSA-2314-1 puppet -- multiple
Description:	Multiple security issues have been discovered in puppet, a centralized configuration management system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2011-3848 Kristian Erik Hermansen reported that an unauthenticated directory traversal could drop any valid X.509 Certificate Signing Request at any location on disk, with the privileges of the Puppet Master application. CVE-2011-3870 Ricky Zhou discovered a potential local privilege escalation in the ssh_authorised_keys resource and theoretically in the Solaris and AIX providers, where file ownership was given away before it was written, leading to a possibility for a user to overwrite arbitrary files as root, if their authorised_keys file was managed. CVE-2011-3869 A predictable file name in the k5login type leads to the possibility of symlink attacks which would allow the owner of the home directory to symlink to anything on the system, and have it replaced with the "correct" content of the file, which can lead to a privilege escalation on puppet runs. CVE-2011-3871 A potential local privilege escalation was found in the --edit mode of "puppet resource" due to a persistant, predictable file name, which can result in editing an arbitrary target file, and thus be be tricked into running that arbitrary file as the invoking user. This command is most commonly run as root, this leads to a potential privilege escalation. Additionally, this update hardens the indirector file backed terminus base class against injection attacks based on trusted path names.
Family:	unix	Class:	patch
Reference(s):	DSA-2314-1 CVE-2011-3848 CVE-2011-3870 CVE-2011-3869 CVE-2011-3871	Version:	5
Platform(s):	Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0	Product(s):	puppet
Definition Synopsis:
Debian 6.0 is installed GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND Installed architecture is all AND puppet DPKG is earlier than 2.6.2-5+squeeze1

Definition Id: oval:org.mitre.oval:def:20526

Oval ID:	oval:org.mitre.oval:def:20526
Title:	USN-1217-1 -- puppet vulnerability
Description:	An attacker could send crafted input to puppet and cause it to overwrite files.
Family:	unix	Class:	patch
Reference(s):	USN-1217-1 CVE-2011-3848	Version:	5
Platform(s):	Ubuntu 11.04 Ubuntu 10.10 Ubuntu 10.04	Product(s):	puppet
Definition Synopsis:
Ubuntu 11.04 release section Ubuntu 11.04 is installed AND puppet-common DPKG is earlier than 0:2.6.4-2ubuntu2.2 AND Ubuntu 10.10 release section Ubuntu 10.10 is installed AND puppet-common DPKG is earlier than 0:2.6.1-0ubuntu2.1 AND Ubuntu 10.04 release section Ubuntu 10.04 is installed AND puppet-common DPKG is earlier than 0:0.25.4-2ubuntu6.2

Definition Id: oval:org.mitre.oval:def:20948

Oval ID:	oval:org.mitre.oval:def:20948
Title:	USN-1223-1 -- puppet vulnerabilities
Description:	Puppet could be made to overwrite files and run programs with administrator privileges.
Family:	unix	Class:	patch
Reference(s):	USN-1223-1 CVE-2011-3869 CVE-2011-3870 CVE-2011-3871	Version:	5
Platform(s):	Ubuntu 11.04 Ubuntu 10.10 Ubuntu 10.04	Product(s):	puppet
Definition Synopsis:
Ubuntu 11.04 release section Ubuntu 11.04 is installed AND puppet-common DPKG is earlier than 0:2.6.4-2ubuntu2.3 AND Ubuntu 10.10 release section Ubuntu 10.10 is installed AND puppet-common DPKG is earlier than 0:2.6.1-0ubuntu2.2 AND Ubuntu 10.04 release section Ubuntu 10.04 is installed AND puppet-common DPKG is earlier than 0:0.25.4-2ubuntu6.3

Definition Id: oval:org.mitre.oval:def:21191

Oval ID:	oval:org.mitre.oval:def:21191
Title:	USN-1223-2 -- puppet regression
Description:	USN-1223-1 caused a regression with managing SSH authorized_keys files.
Family:	unix	Class:	patch
Reference(s):	USN-1223-2 CVE-2011-3869 CVE-2011-3870 CVE-2011-3871	Version:	5
Platform(s):	Ubuntu 10.04	Product(s):	puppet
Definition Synopsis:
Ubuntu 10.04 is installed AND puppet-common DPKG is earlier than 0:0.25.4-2ubuntu6.4

CPE : Common Platform Enumeration

Type	Description	Count
Application	Puppet cpe:2.3:a:puppet:puppet:2.7.4:::::::* cpe:2.3:a:puppet:puppet:2.7.3:::::::* cpe:2.3:a:puppet:puppet:2.7.2:::::::* cpe:2.3:a:puppet:puppet:2.7.1:::::::* cpe:2.3:a:puppet:puppet:2.7.0:::::::* cpe:2.3:a:puppet:puppet:2.6.9:::::::* cpe:2.3:a:puppet:puppet:2.6.8:::::::* cpe:2.3:a:puppet:puppet:2.6.7:::::::* cpe:2.3:a:puppet:puppet:2.6.6:::::::* cpe:2.3:a:puppet:puppet:2.6.5:::::::* cpe:2.3:a:puppet:puppet:2.6.4:::::::* cpe:2.3:a:puppet:puppet:2.6.3:::::::* cpe:2.3:a:puppet:puppet:2.6.2:::::::* cpe:2.3:a:puppet:puppet:2.6.10:::::::* cpe:2.3:a:puppet:puppet:2.6.1:::::::* cpe:2.3:a:puppet:puppet:2.6.0:::::::* cpe:2.3:a:puppet:puppet:0.25.6:::::::* cpe:2.3:a:puppet:puppet:0.25.5:::::::* cpe:2.3:a:puppet:puppet:0.25.4:::::::* cpe:2.3:a:puppet:puppet:0.25.3:::::::* cpe:2.3:a:puppet:puppet:0.25.2:::::::* cpe:2.3:a:puppet:puppet:0.25.1:::::::* cpe:2.3:a:puppet:puppet:0.25.0:::::::*	23

OpenVAS Exploits

Date	Description
2012-04-30	Name : Fedora Update for puppet FEDORA-2012-6055 File : nvt/gb_fedora_2012_6055_puppet_fc15.nasl
2012-04-02	Name : Fedora Update for puppet FEDORA-2011-13623 File : nvt/gb_fedora_2011_13623_puppet_fc16.nasl
2012-03-12	Name : Fedora Update for puppet FEDORA-2012-2367 File : nvt/gb_fedora_2012_2367_puppet_fc15.nasl
2012-03-12	Name : Gentoo Security Advisory GLSA 201203-03 (puppet) File : nvt/glsa_201203_03.nasl
2011-11-21	Name : Fedora Update for puppet FEDORA-2011-14994 File : nvt/gb_fedora_2011_14994_puppet_fc15.nasl
2011-11-21	Name : Fedora Update for puppet FEDORA-2011-15000 File : nvt/gb_fedora_2011_15000_puppet_fc14.nasl
2011-10-18	Name : Fedora Update for puppet FEDORA-2011-13633 File : nvt/gb_fedora_2011_13633_puppet_fc14.nasl
2011-10-18	Name : Fedora Update for puppet FEDORA-2011-13636 File : nvt/gb_fedora_2011_13636_puppet_fc15.nasl
2011-10-16	Name : Debian Security Advisory DSA 2314-1 (puppet) File : nvt/deb_2314_1.nasl
2011-10-10	Name : Ubuntu Update for puppet USN-1223-2 File : nvt/gb_ubuntu_USN_1223_2.nasl
2011-10-04	Name : Ubuntu Update for puppet USN-1223-1 File : nvt/gb_ubuntu_USN_1223_1.nasl
2011-09-30	Name : Ubuntu Update for puppet USN-1217-1 File : nvt/gb_ubuntu_USN_1217_1.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
76018	Puppet X.509 Certificate Signing Request Parsing Traversal Arbitrary File Ove...
75989	Puppet Resource --edit Mode Arbitrary Puppet Code Execution
75988	Puppet k5login File Handling Symlink k5login Overwrite
75986	Puppet Race Condition SSH authorized_keys File Handing Symlink Arbitrary File...

Nessus® Vulnerability Scanner

Date	Description
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_3_puppet-111005.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_3_puppet-111110.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_4_puppet-111005.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_4_puppet-111110.nasl - Type : ACT_GATHER_INFO
2013-09-04	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2011-11.nasl - Type : ACT_GATHER_INFO
2012-03-06	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201203-03.nasl - Type : ACT_GATHER_INFO
2011-12-13	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_puppet-111111.nasl - Type : ACT_GATHER_INFO
2011-10-17	Name : The remote Fedora host is missing a security update. File : fedora_2011-13623.nasl - Type : ACT_GATHER_INFO
2011-10-17	Name : The remote Fedora host is missing a security update. File : fedora_2011-13633.nasl - Type : ACT_GATHER_INFO
2011-10-17	Name : The remote Fedora host is missing a security update. File : fedora_2011-13636.nasl - Type : ACT_GATHER_INFO
2011-10-06	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1223-2.nasl - Type : ACT_GATHER_INFO
2011-10-04	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2314.nasl - Type : ACT_GATHER_INFO
2011-10-03	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1223-1.nasl - Type : ACT_GATHER_INFO
2011-09-29	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1217-1.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:30:27	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	4
Oval ID(s)	4
CPE ID(s)	23
osvdb(s)	4
Openvas Exploit(s)	12
Nessus® Exploit(s)	14

	Related
6.3	CVE-2011-3870
6.3	CVE-2011-3869
6.2	CVE-2011-3871
5	CVE-2011-3848
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 4 more Alert(s)