9 - DSA-2643

Executive Summary

Summary
Title	puppet security update

Informations
Name	DSA-2643	First vendor Publication	2013-03-12
Vendor	Debian	Last vendor Modification	2013-03-12
Severity (Vendor)	N/A	Revision	1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Cvss Base Score	9	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	8	Authentication	Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Multiple vulnerabilities were discovered in Puppet, a centralized configuration management system.

CVE-2013-1640

An authenticated malicious client may request its catalog from the puppet master, and cause the puppet master to execute arbitrary code. The puppet master must be made to invoke the `template` or `inline_template` functions during catalog compilation.

CVE-2013-1652

An authenticated malicious client may retrieve catalogs from the puppet master that it is not authorized to access. Given a valid certificate and private key, it is possible to construct an HTTP GET request that will return a catalog for an arbitrary client.

CVE-2013-1653

An authenticated malicious client may execute arbitrary code on Puppet agents that accept kick connections. Puppet agents are not vulnerable in their default configuration. However, if the Puppet agent is configured to listen for incoming connections, e.g. listen = true, and the agent's auth.conf allows access to the `run` REST endpoint, then an authenticated client can construct an HTTP PUT request to execute arbitrary code on the agent. This issue is made worse by the fact that puppet agents typically run as root.

CVE-2013-1654

A bug in Puppet allows SSL connections to be downgraded to SSLv2, which is known to contain design flaw weaknesses This affects SSL connections between puppet agents and master, as well as connections that puppet agents make to third party servers that accept SSLv2 connections. Note that SSLv2 is disabled since OpenSSL 1.0.

CVE-2013-1655

An unauthenticated malicious client may send requests to the puppet master, and have the master load code in an unsafe manner. It only affects users whose puppet masters are running ruby 1.9.3 and above.

CVE-2013-2274

An authenticated malicious client may execute arbitrary code on the puppet master in its default configuration. Given a valid certificate and private key, a client can construct an HTTP PUT request that is authorized to save the client's own report, but the request will actually cause the puppet master to execute arbitrary code.

CVE-2013-2275

The default auth.conf allows an authenticated node to submit a report for any other node, which is a problem for compliance. It has been made more restrictive by default so that a node is only allowed to save its own report.

For the stable distribution (squeeze), these problems have been fixed in version 2.6.2-5+squeeze7.

For the testing distribution (wheezy), these problems have been fixed in version 2.7.18-3.

For the unstable distribution (sid), these problems have been fixed in version 2.7.18-3.

We recommend that you upgrade your puppet packages.

Original Source

Url : http://www.debian.org/security/2013/dsa-2643

CWE : Common Weakness Enumeration

%	Id	Name
50 %	CWE-264	Permissions, Privileges, and Access Controls
50 %	CWE-20	Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:17328

Oval ID:	oval:org.mitre.oval:def:17328
Title:	USN-1759-1 -- puppet vulnerabilities
Description:	Several security issues were fixed in Puppet.
Family:	unix	Class:	patch
Reference(s):	USN-1759-1 CVE-2013-1653 CVE-2013-1640 CVE-2013-1652 CVE-2013-1654 CVE-2013-1655 CVE-2013-2275	Version:	7
Platform(s):	Ubuntu 12.10 Ubuntu 12.04 Ubuntu 11.10	Product(s):	puppet
Definition Synopsis:
Release section Ubuntu 12.10 is installed AND puppet-common DPKG is earlier than 2.7.18-1ubuntu1.1 AND Release section Ubuntu 12.04 is installed AND puppet-common DPKG is earlier than 2.7.11-1ubuntu2.2 AND Release section Ubuntu 11.10 is installed AND puppet-common DPKG is earlier than 2.7.1-1ubuntu3.8

Definition Id: oval:org.mitre.oval:def:17992

Oval ID:	oval:org.mitre.oval:def:17992
Title:	DSA-2643-1 puppet - several issues
Description:	Multiple vulnerabilities were discovered in Puppet, a centralized configuration management system.
Family:	unix	Class:	patch
Reference(s):	DSA-2643-1 CVE-2013-1640 CVE-2013-1652 CVE-2013-1653 CVE-2013-1654 CVE-2013-1655 CVE-2013-2274 CVE-2013-2275	Version:	7
Platform(s):	Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0	Product(s):	puppet
Definition Synopsis:
Debian 6.0 is installed GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND puppet DPKG is earlier than 2.6.2-5+squeeze7

Definition Id: oval:org.mitre.oval:def:25947

Oval ID:	oval:org.mitre.oval:def:25947
Title:	SUSE-SU-2013:0618-1 -- Security update for puppet
Description:	uppet has been updated to fix 2.6.18 multiple vulnerabilities and bugs.
Family:	unix	Class:	patch
Reference(s):	SUSE-SU-2013:0618-1 CVE-2013-1653 CVE-2013-2275 CVE-2013-1652 CVE-2013-2274 CVE-2013-1655 CVE-2013-1654 CVE-2013-1640	Version:	3
Platform(s):	SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11	Product(s):	puppet
Definition Synopsis:
SUSE Linux Enterprise Server 11 and SUSE Linux Enterprise Desktop 11 release section Operation system section SUSE Linux Enterprise Server 11.x is installed AND SUSE Linux Enterprise Desktop 11.x is installed AND puppet RPM is earlier than 0:2.6.18-0.4.2 AND SUSE Linux Enterprise Server 11 release section SUSE Linux Enterprise Server 11.x is installed AND puppet-server RPM is earlier than 0:2.6.18-0.4.2

CPE : Common Platform Enumeration

Type	Description	Count
Application	Puppet cpe:2.3:a:puppet:puppet:3.1.0:::::::* cpe:2.3:a:puppet:puppet:2.7.9:::::::* cpe:2.3:a:puppet:puppet:2.7.8:::::::* cpe:2.3:a:puppet:puppet:2.7.7:::::::* cpe:2.3:a:puppet:puppet:2.7.6:::::::* cpe:2.3:a:puppet:puppet:2.7.5:::::::* cpe:2.3:a:puppet:puppet:2.7.4:::::::* cpe:2.3:a:puppet:puppet:2.7.3:::::::* cpe:2.3:a:puppet:puppet:2.7.20:::::::* cpe:2.3:a:puppet:puppet:2.7.20:rc1:::::: cpe:2.3:a:puppet:puppet:2.7.2:::::::* cpe:2.3:a:puppet:puppet:2.7.19:::::::* cpe:2.3:a:puppet:puppet:2.7.19:rc1:::::: cpe:2.3:a:puppet:puppet:2.7.19:rc2:::::: cpe:2.3:a:puppet:puppet:2.7.19:rc3:::::: cpe:2.3:a:puppet:puppet:2.7.18:::::::* cpe:2.3:a:puppet:puppet:2.7.17:::::::* cpe:2.3:a:puppet:puppet:2.7.16:::::::* cpe:2.3:a:puppet:puppet:2.7.16:rc1:::::: cpe:2.3:a:puppet:puppet:2.7.15:rc1:::::: cpe:2.3:a:puppet:puppet:2.7.15:rc2:::::: cpe:2.3:a:puppet:puppet:2.7.15:rc3:::::: cpe:2.3:a:puppet:puppet:2.7.15:rc4:::::: cpe:2.3:a:puppet:puppet:2.7.14:::::::* cpe:2.3:a:puppet:puppet:2.7.13:::::::* cpe:2.3:a:puppet:puppet:2.7.12:::::::* cpe:2.3:a:puppet:puppet:2.7.11:::::::* cpe:2.3:a:puppet:puppet:2.7.10:::::::* cpe:2.3:a:puppet:puppet:2.7.1:::::::* cpe:2.3:a:puppet:puppet:2.7.0:::::::* cpe:2.3:a:puppet:puppet:2.6.9:::::::* cpe:2.3:a:puppet:puppet:2.6.8:::::::* cpe:2.3:a:puppet:puppet:2.6.7:::::::* cpe:2.3:a:puppet:puppet:2.6.6:::::::* cpe:2.3:a:puppet:puppet:2.6.5:::::::* cpe:2.3:a:puppet:puppet:2.6.4:::::::* cpe:2.3:a:puppet:puppet:2.6.3:::::::* cpe:2.3:a:puppet:puppet:2.6.2:::::::* cpe:2.3:a:puppet:puppet:2.6.18:::::::* cpe:2.3:a:puppet:puppet:2.6.17:::::::* cpe:2.3:a:puppet:puppet:2.6.16:::::::* cpe:2.3:a:puppet:puppet:2.6.15:::::::* cpe:2.3:a:puppet:puppet:2.6.14:::::::* cpe:2.3:a:puppet:puppet:2.6.13:::::::* cpe:2.3:a:puppet:puppet:2.6.12:::::::* cpe:2.3:a:puppet:puppet:2.6.11:::::::* cpe:2.3:a:puppet:puppet:2.6.10:::::::* cpe:2.3:a:puppet:puppet:2.6.1:::::::* cpe:2.3:a:puppet:puppet:2.6.0:::::::* cpe:2.3:a:puppet:puppet:0.9.4:::::::* cpe:2.3:a:puppet:puppet:0.9.3:::::::* cpe:2.3:a:puppet:puppet:0.9.2:::::::* cpe:2.3:a:puppet:puppet:0.9.0:::::::* cpe:2.3:a:puppet:puppet:0.25.6:::::::* cpe:2.3:a:puppet:puppet:0.25.5:::::::* cpe:2.3:a:puppet:puppet:0.25.4:::::::* cpe:2.3:a:puppet:puppet:0.25.3:::::::* cpe:2.3:a:puppet:puppet:0.25.2:rc1:::::: cpe:2.3:a:puppet:puppet:0.25.2:rc2:::::: cpe:2.3:a:puppet:puppet:0.25.2:rc3:::::: cpe:2.3:a:puppet:puppet:0.25.2:::::::* cpe:2.3:a:puppet:puppet:0.25.1:::::::* cpe:2.3:a:puppet:puppet:0.25.1:rc1:::::: cpe:2.3:a:puppet:puppet:0.25.1:rc2:::::: cpe:2.3:a:puppet:puppet:0.25.0:beta1:::::: cpe:2.3:a:puppet:puppet:0.25.0:::::::* cpe:2.3:a:puppet:puppet:0.25.0:rc1:::::: cpe:2.3:a:puppet:puppet:0.25.0:beta2:::::: cpe:2.3:a:puppet:puppet:0.24.9:::::::* cpe:2.3:a:puppet:puppet:0.24.8:rc1:::::: cpe:2.3:a:puppet:puppet:0.24.8:::::::* cpe:2.3:a:puppet:puppet:0.24.7:::::::* cpe:2.3:a:puppet:puppet:0.24.7:rc2:::::: cpe:2.3:a:puppet:puppet:0.24.6:rc2:::::: cpe:2.3:a:puppet:puppet:0.24.6:rc1:::::: cpe:2.3:a:puppet:puppet:0.24.6:::::::* cpe:2.3:a:puppet:puppet:0.24.5:::::::* cpe:2.3:a:puppet:puppet:0.24.4:::::::* cpe:2.3:a:puppet:puppet:0.24.3:::::::* cpe:2.3:a:puppet:puppet:0.24.2:::::::* cpe:2.3:a:puppet:puppet:0.24.1:::::::* cpe:2.3:a:puppet:puppet:0.24.0:::::::* cpe:2.3:a:puppet:puppet:0.23.2:::::::* cpe:2.3:a:puppet:puppet:0.23.1:::::::* cpe:2.3:a:puppet:puppet:0.23.0:::::::* cpe:2.3:a:puppet:puppet:0.22.4:::::::* cpe:2.3:a:puppet:puppet:0.22.3:::::::* cpe:2.3:a:puppet:puppet:0.22.2:::::::* cpe:2.3:a:puppet:puppet:0.22.1:::::::* cpe:2.3:a:puppet:puppet:0.22.0:::::::* cpe:2.3:a:puppet:puppet:0.20.1:::::::* cpe:2.3:a:puppet:puppet:0.20.0:::::::* cpe:2.3:a:puppet:puppet:0.19.3:::::::* cpe:2.3:a:puppet:puppet:0.19.2:::::::* cpe:2.3:a:puppet:puppet:0.19.1:::::::* cpe:2.3:a:puppet:puppet:0.18.4:::::::* cpe:2.3:a:puppet:puppet:0.18.3:::::::* cpe:2.3:a:puppet:puppet:0.18.2:::::::* cpe:2.3:a:puppet:puppet:0.18.1:::::::* cpe:2.3:a:puppet:puppet:0.18.0:::::::* cpe:2.3:a:puppet:puppet:0.17.2:::::::* cpe:2.3:a:puppet:puppet:0.17.1:::::::* cpe:2.3:a:puppet:puppet:0.17.0:::::::* cpe:2.3:a:puppet:puppet:0.16.5:::::::* cpe:2.3:a:puppet:puppet:0.16.4:::::::* cpe:2.3:a:puppet:puppet:0.16.3:::::::* cpe:2.3:a:puppet:puppet:0.16.2:::::::* cpe:2.3:a:puppet:puppet:0.16.1:::::::* cpe:2.3:a:puppet:puppet:0.16.0:::::::* cpe:2.3:a:puppet:puppet:0.15.2:::::::* cpe:2.3:a:puppet:puppet:0.15.1:::::::* cpe:2.3:a:puppet:puppet:0.15.0:::::::* cpe:2.3:a:puppet:puppet:0.14.1:::::::* cpe:2.3:a:puppet:puppet:0.14.0:::::::* cpe:2.3:a:puppet:puppet:0.13.6:::::::* cpe:2.3:a:puppet:puppet:0.13.5:::::::* cpe:2.3:a:puppet:puppet:0.13.4:::::::* cpe:2.3:a:puppet:puppet:0.13.3:::::::* cpe:2.3:a:puppet:puppet:0.13.2:::::::* cpe:2.3:a:puppet:puppet:0.13.1:::::::* cpe:2.3:a:puppet:puppet:0.13.0:::::::* cpe:2.3:a:puppet:puppet:0.12.0:::::::* cpe:2.3:a:puppet:puppet:0.11.2:::::::* cpe:2.3:a:puppet:puppet:0.11.1:::::::* cpe:2.3:a:puppet:puppet:0.11.0:::::::* cpe:2.3:a:puppet:puppet:0.10.2:::::::* cpe:2.3:a:puppet:puppet:0.10.1:::::::* cpe:2.3:a:puppet:puppet:0.10.0:::::::* cpe:2.3:a:puppet:puppet:::::::: cpe:2.3:a:puppet:puppet:::::enterprise:::*	130
Application	Puppet Puppet Enterprise cpe:2.3:a:puppet:puppet_enterprise:3.1.0:::::::* cpe:2.3:a:puppet:puppet_enterprise:2.7.1:::::::* cpe:2.3:a:puppet:puppet_enterprise:2.7.0:::::::* cpe:2.3:a:puppet:puppet_enterprise:1.2.6:::::::* cpe:2.3:a:puppet:puppet_enterprise:1.2.5:::::::* cpe:2.3:a:puppet:puppet_enterprise:1.2.4:::::::* cpe:2.3:a:puppet:puppet_enterprise:1.2.3:::::::* cpe:2.3:a:puppet:puppet_enterprise:1.2.2:::::::* cpe:2.3:a:puppet:puppet_enterprise:1.2.1:::::::* cpe:2.3:a:puppet:puppet_enterprise:1.2.0:::::::* cpe:2.3:a:puppet:puppet_enterprise:1.1:::::::* cpe:2.3:a:puppet:puppet_enterprise:1.0:::::::* cpe:2.3:a:puppet:puppet_enterprise::::::::	13
Application	Puppetlabs Puppet cpe:2.3:a:puppetlabs:puppet:2.7.20:rc1:::::: cpe:2.3:a:puppetlabs:puppet:2.7.20:::::::* cpe:2.3:a:puppetlabs:puppet:2.7.19:::::::* cpe:2.3:a:puppetlabs:puppet:2.7.1:-:enterprise:::::* cpe:2.3:a:puppetlabs:puppet:2.7.0:-:enterprise:::::* cpe:2.3:a:puppetlabs:puppet:2.6.17:::::::* cpe:2.3:a:puppetlabs:puppet:2.6.0:-:enterprise:::::* cpe:2.3:a:puppetlabs:puppet:2.5.0:-:enterprise:::::* cpe:2.3:a:puppetlabs:puppet:1.2.6::::enterprise::: cpe:2.3:a:puppetlabs:puppet:1.2.5::::enterprise::: cpe:2.3:a:puppetlabs:puppet:1.2.4::::enterprise::: cpe:2.3:a:puppetlabs:puppet:1.2.3::::enterprise::: cpe:2.3:a:puppetlabs:puppet:1.2.2::::enterprise::: cpe:2.3:a:puppetlabs:puppet:1.2.1::::enterprise::: cpe:2.3:a:puppetlabs:puppet:1.2.0::::enterprise::: cpe:2.3:a:puppetlabs:puppet:1.2.0:-:enterprise:::::* cpe:2.3:a:puppetlabs:puppet:1.1.0:-:enterprise:::::* cpe:2.3:a:puppetlabs:puppet:1.1::::enterprise::: cpe:2.3:a:puppetlabs:puppet:1.0.0:-:enterprise:::::* cpe:2.3:a:puppetlabs:puppet:1.0::::enterprise::: cpe:2.3:a:puppetlabs:puppet:::::::: cpe:2.3:a:puppetlabs:puppet:::::enterprise:::*	22
Os	Canonical Ubuntu Linux cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::* cpe:2.3:o:canonical:ubuntu_linux:12.04::::lts::: cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:::::* cpe:2.3:o:canonical:ubuntu_linux:11.10:::::::*	4

Information Assurance Vulnerability Management (IAVM)

Date	Description
2014-01-16	IAVM : 2014-A-0009 - Multiple Vulnerabilities in Oracle Fusion Middleware Severity : Category I - VMSKEY : V0043395

Nessus® Vulnerability Scanner

Date	Description
2014-06-13	Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-295.nasl - Type : ACT_GATHER_INFO
2013-09-04	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-181.nasl - Type : ACT_GATHER_INFO
2013-08-25	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201308-04.nasl - Type : ACT_GATHER_INFO
2013-08-02	Name : The remote Fedora host is missing a security update. File : fedora_2013-3935.nasl - Type : ACT_GATHER_INFO
2013-04-26	Name : A web application on the remote host has a code execution vulnerability. File : puppet_cve_2013-1655.nasl - Type : ACT_GATHER_INFO
2013-04-26	Name : A configuration management application running on the remote host has multipl... File : puppet_multiple_vulns.nasl - Type : ACT_GATHER_INFO
2013-04-04	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_puppet-130320.nasl - Type : ACT_GATHER_INFO
2013-04-01	Name : The remote Fedora host is missing a security update. File : fedora_2013-4187.nasl - Type : ACT_GATHER_INFO
2013-03-14	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_04042f9514b84382a8b9b30e365776cf.nasl - Type : ACT_GATHER_INFO
2013-03-14	Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_cda566a02df04eb0b70eed7a6fb0ab3c.nasl - Type : ACT_GATHER_INFO
2013-03-13	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2643.nasl - Type : ACT_GATHER_INFO
2013-03-13	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1759-1.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:31:44	Multiple Updates
2013-03-21 21:19:22	Multiple Updates
2013-03-21 00:19:48	Multiple Updates
2013-03-13 00:17:31	First insertion

Global Informations

Type	Count
CWE ID(s)	2
Oval ID(s)	3
CPE ID(s)	169
IAVM(s)	1
Nessus® Exploit(s)	12

	Related
9	CVE-2013-1640
7.5	CVE-2013-1655
7.1	CVE-2013-1653
6.5	CVE-2013-2274
5	CVE-2013-1654
4.9	CVE-2013-1652
4	CVE-2013-2275
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 7 more Alert(s)

9 - DSA-2643

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

Information Assurance Vulnerability Management (IAVM)

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU