Overview
If a given node or server is missing an auth.conf file in /etc/puppet,
they may be vulnerable to information disclosure or resource
manipulation from authenticated Puppet nodes. In both cases the scope is
limited to the privileges of the remote Puppet process.
Status
- Resolved in Puppet 2.6.4
- Earlier versions of Puppet are not vulnerable
Scope
Minimum conditions for server
- Running 2.6.0, 2.6.1, 2.6.2, 2.6.3 or any other 2.6.x release missing the auth.conf file
- Attacker has access to SSL credentials of another node.
Minimum conditions for client
- Running 2.6.0, 2.6.1, 2.6.2, 2.6.3 or any other 2.6.x release missing
auth.conf file - Attacker has access to SSL credentials of another node
- Puppet client is running as a daemon (not –onetime)
- Puppet configured in listen mode with –listen
- Attacker s host is allowed to connect via namespaceauth.conf
Vulnerable Install Methods
- Install from gems
- Install from Mac packages
- Install from source
- Install from Solaris Blastwave packages
Not Vulnerable Install Methods
- Install from Debian debs
- Install from Red Hat RPMs
Note: If you remove auth.conf, you are vulnerable, regardless of install
method.
To determine if you are vulnerable you can execute the puppet resource
command, like so:
$ puppet resource -H attack.target.mydomain user puppet
Secured (auth.conf present):
(Attack against server requires puppetport specification, against client
does not, assuming default ports. )
$ puppet resource -H attack.target.mydomain user puppet –puppetport 8140
/usr/lib/ruby/1.8/puppet/indirector/rest.rb:57:in `deserialize’: Error
403 on SERVER: Forbidden request: attack.host.mydomain (x.x.x.x) access
to /resource/user/ [search] authenticated at line 93 (Net::HTTPError)
Insecure (auth.conf missing):
You get the user info:
$ puppet resource -H attack.target.mydomain user puppet
user { ‘puppet’:
comment => ‘Puppet configuration management daemon,,,’, uid => ’104′,
gid => ’107′,
home => ‘/var/lib/puppet’,
shell => ‘/bin/false’,
password => ‘*’,
ensure => ‘present’
}