A bug in Puppet 0.24.0 through 2.7.5 causes Puppet to insert the puppet master’s DNS alt names ("certdnsnames" in puppet.conf) into the X.509 Subject Alternative Name field of all certificates, rather than just the puppet master’s certificate.
Since the puppet agent daemon can use the Subject Alternative Name field to identify its puppet master, your site may contain agent certificates that can be used in a Man in the Middle (MITM) attack to impersonate the puppet master.
If your puppet master’s "certdnsnames" setting has never been set during the lifetime of your site’s CA, you are protected and can safely ignore this vulnerability once you’ve upgraded your puppet master. Otherwise, you must mitigate this vulnerability by:
- Ensuring that the puppet master’s "certdnsnames" setting is empty.
- Creating a new DNS entry for the puppet master that has never previously been used as an agent certname or a puppet master’s DNS alt name.
- Issuing a new puppet master certificate with its new DNS name as the certname.
- Reconfiguring all puppet agent nodes to contact the master at its new certname (’server =
’ in puppet.conf).
Although the above mitigation will completely protect your site, you may also wish to migrate to a new CA and invalidate and re-issue all of your site’s certificates. This will provide longer-term protection, will prevent your site from being accidentally returned to a vulnerable state, and will let you resume using your preferred puppet master name.
Puppet Labs has released tools to assist in mitigating the vulnerability and migrating to a new CA.
- Resolved in Puppet 2.6.12 and 2.7.6
- Resolved in Puppet Enterprise 1.2.4
- Hotfixes available for Puppet Enterprise 1.0 and 1.1
- Patched releases for Puppet 0.25.x and 0.24.x available from OS vendors