Puppet users - Oct 2011 - Important Security Announcement: AltNames Vulnerability [new version of puppet]

We have discovered a security vulnerability (“AltNames Vulnerability”)
whereby a malicious attacker can impersonate the Puppet master using
credentials from a Puppet agent node. This vulnerability cannot cross
Puppet deployments, but it can allow an attacker with elevated
privileges on one Puppet-managed node to gain control of any other
Puppet-managed node within the same infrastructure.

All Puppet Enterprise deployments are vulnerable, and Puppet open
source deployments may be, depending upon their site configuration.

We believe this to be a serious risk, and we have confirmed this with
security experts outside of Puppet Labs.

For more information we have the following resources:

* Blog Post with all the details:
http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/
* Security links and details:
http://puppetlabs.com/security/cve/cve-2011-3872/
* Remediation module:
http://links.puppetlabs.com/cve20113872_remediation


As a result of this vulnerability (CVE-2011-3872) we have released new
version of Puppet.

* 2.6.12
* 2.7.6

We will be sending separate announcements about each of those releases.


Michael Stahnke
Release Manager - Puppet Labs

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 10/24/2011 04:02 PM, Michael Stahnke wrote:
> We have discovered a security vulnerability (“AltNames Vulnerability”)
> whereby a malicious attacker can impersonate the Puppet master using
> credentials from a Puppet agent node. This vulnerability cannot cross
> Puppet deployments, but it can allow an attacker with elevated
> privileges on one Puppet-managed node to gain control of any other
> Puppet-managed node within the same infrastructure.
> 
> All Puppet Enterprise deployments are vulnerable, and Puppet open
> source deployments may be, depending upon their site configuration.
As far as my understanding goes, I *should* be affected by this CVE, but
don''t
appear to be.  I''m:

* running puppet 0.25.5 (nginx/mongrel)
* I use certdnsnames to specify alternative names in my [puppetmaster] section
of my puppet.conf
* all my nodes connect to one of the alternative names in their [puppet]
section''s "server" line

I only write the [puppetmaster] section in the puppet.conf file on my puppet
master server; are the subjectAltNames only added to the certificate request
if the config is present on the client nodes?

-Doug

On Tue, Oct 25, 2011 at 07:07, Doug Warner <doug@warner.fm>
wrote:
> On 10/24/2011 04:02 PM, Michael Stahnke wrote:
>> We have discovered a security vulnerability (“AltNames Vulnerability”)
>> whereby a malicious attacker can impersonate the Puppet master using
>> credentials from a Puppet agent node. This vulnerability cannot cross
>> Puppet deployments, but it can allow an attacker with elevated
>> privileges on one Puppet-managed node to gain control of any other
>> Puppet-managed node within the same infrastructure.
>>
>> All Puppet Enterprise deployments are vulnerable, and Puppet open
>> source deployments may be, depending upon their site configuration.
>
> As far as my understanding goes, I *should* be affected by this CVE, but
don''t
> appear to be.  I''m:
>
> * running puppet 0.25.5 (nginx/mongrel)
> * I use certdnsnames to specify alternative names in my [puppetmaster]
section
> of my puppet.conf
> * all my nodes connect to one of the alternative names in their [puppet]
> section''s "server" line
>
> I only write the [puppetmaster] section in the puppet.conf file on my
puppet
> master server; are the subjectAltNames only added to the certificate
request
> if the config is present on the client nodes?
Before the patch the subjectAltName field was never added to the
certificate *request*; we added it on the master, based on the
`certdnsnames` setting in the configuration file there.  After the
change the names will be added to the CSR.

So, you need to check the actual signed certificates to find out if
you are vulnerable or not.

Daniel
-- 
⎋ Puppet Labs Developer – http://puppetlabs.com
♲ Made with 100 percent post-consumer electrons

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 10/25/2011 11:16 AM, Daniel Pittman wrote:
> On Tue, Oct 25, 2011 at 07:07, Doug Warner <doug@warner.fm> wrote:
>> On 10/24/2011 04:02 PM, Michael Stahnke wrote:
>>> We have discovered a security vulnerability (“AltNames
Vulnerability”)
>>> whereby a malicious attacker can impersonate the Puppet master
using
>>> credentials from a Puppet agent node. This vulnerability cannot
cross
>>> Puppet deployments, but it can allow an attacker with elevated
>>> privileges on one Puppet-managed node to gain control of any other
>>> Puppet-managed node within the same infrastructure.
>>>
>>> All Puppet Enterprise deployments are vulnerable, and Puppet open
>>> source deployments may be, depending upon their site configuration.
>>
>> As far as my understanding goes, I *should* be affected by this CVE,
but don''t
>> appear to be.  I''m:
>>
>> * running puppet 0.25.5 (nginx/mongrel)
>> * I use certdnsnames to specify alternative names in my [puppetmaster]
section
>> of my puppet.conf
>> * all my nodes connect to one of the alternative names in their
[puppet]
>> section''s "server" line
>>
>> I only write the [puppetmaster] section in the puppet.conf file on my
puppet
>> master server; are the subjectAltNames only added to the certificate
request
>> if the config is present on the client nodes?
> 
> Before the patch the subjectAltName field was never added to the
> certificate *request*; we added it on the master, based on the
> `certdnsnames` setting in the configuration file there.  After the
> change the names will be added to the CSR.
> 
> So, you need to check the actual signed certificates to find out if
> you are vulnerable or not.
> 
> Daniel
I did; the signed certificates in the cached directory on the puppet master
don''t appear to have the subjectAltName set (bin/webrick/scan_certs
didn''t
find any), and checking a couple certs on the actual nodes w/ openssl
didn''t
discover the signed ones having the value either.

Am I checking the wrong things?

-Doug