OSVDB ID: 84866

Title: Puppet lib/puppet/network/authstore.rb Certname IP Address Remote Agent Spoofing Weakness

Info

Disclosure

Jul 10, 2012

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Jun 26, 2012

Description

Puppet contains a flaw that is triggered by lib/puppet/network/authstore.rb supporting the use of IP addresses in certnames. This may allow a remote attacker to gain access to previously used IP addresses and spoof a remote agent.

Classification

Location: Remote / Network Access
Attack Type: Authentication Management
Impact: Loss of Integrity
Solution: Patch / RCS, Upgrade
Exploit: Exploit Unknown
Disclosure: Vendor Verified

Solution

Upgrade Puppet to version 2.7.18 or higher and Puppet Enterprise to 2.5.2 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Puppet Labs	Puppet	2.7.17
		2.6.16
	Puppet Enterprise	2.0.x
		2.5.1

References

CVE ID: 2012-3408 (see also: NVD)
Vendor Specific News/Changelog Entry: http://projects.puppetlabs.com/issues/16183
https://bugzilla.redhat.com/show_bug.cgi?id=839166
Vendor Specific Advisory URL: http://puppetlabs.com/security/cve/cve-2012-3408/
Vendor Specific Solution URL: https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/84866

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Puppet Labs

Puppet

Puppet Enterprise

References

Credit