Bugzilla – Bug 879913
VUL-0: CVE-2014-3248,CVE-2014-3250 : puppet code execution
Last modified: 2014-07-15 09:22:16 UTC
EMBARGOED: CVE Identifier: CVE-2014-3248 Arbitrary Code Execution with Required Social Engineering On a host on which Puppet, Mcollective, Facter, or Hiera runs on Ruby < 1.9.2, an unprivileged user can create either a valid ruby file in a directory mirroring the internal directory structure of the application or a file called 'rubygems.rb' in a world-writeable location (e.g. /tmp), convince someone with admin privileges to `cd` into that directory and run the application, and the application will load and execute the contents of that ruby file with privileges of the admin user. This is due to the fact that Ruby versions < 1.9.2 append the current working directory to the load path of an application, and these applications do not perform load path sanitation to remove it. Only users running Ruby < 1.9.2 are affected. Later versions of Ruby do not append the load path with the current working directory. Attached are patches based on Puppet 3.6.1, Facter 2.0.1, Hiera 1.3.3, and Mcollective 2.5.1. The fix included is to remove the current working directory from the load path in the executables included with each application. This should hopefully be relatively easy to apply to other versions of these software. The Puppet patch also applies cleanly to 2.7.25. Note that these patches do not do modify behavior at the library level, which means that 3rd-party executables which load these applications as libraries would still be exposed. The reasoning is that any such executables are already exposed before they require Puppet Labs libraries, and removing directories from the global LOAD_PATH may have unintended consequences for 3rd-party applications (e.g. maybe they've added "." to the LOAD_PATH explicitly). We have assigned this vulnerability CVSSv2 score 5.9, with vector AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:U/RC:C. Affected software versions: Puppet (all) Facter 1.6.x and 2.x (1.7.x not affected) Hiera (all) Mcollective (all) Puppet Enterprise 2.8.x (3.x not affected) Resolved in pending releases: Puppet 2.7.26* and 3.6.2 Facter 2.0.2 Hiera 1.3.4 Mcollective 2.5.2 Puppet Enterprise 2.8.7 Patches for remediation: Puppet: puppet-3.6.1-remove-current-directory-from-Ruby-load-path.patch Facter: facter-2.0.1-remove-current-directory-from-Ruby-load-path Hiera: hiera-1.3.3-remove-current-directory-from-Ruby-load-path.patch Mcollective: mcollective-2.5.1-remove-current-directory-from-Ruby-load-path.patch
CVE Identifier: CVE-2014-3250 Information Leakage In Apache 2.4, SSLCARevocationCheck directive was added to mod_ssl, which defaults it to none and must be explicitly configured. This setting enables checking of a certificate revocation list. The default Puppet master vhost config shipped with Puppet does not include this setting. If a Puppet master is set up to run with Apache 2.4, and this default vhost configuration file is used, the Puppet master will continue to honor a host's certificate even after it is revoked. This file is used in the puppetmaster-passenger deb package shipped by Puppet Labs, which configures a Puppet master in this manner. This vulnerability only applies to users running Apache 2.4. Attached is a patch to Puppet 3.6.1 which adds the setting (commented out by default) and then enables it in the puppetmaster-passenger package for configurations running Apache 2.4 and later. This will not be addressed in Puppet 2.7.26 release. We have assigned this vulnerability CVSSv2 score 3.6 with vector AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:U/RC:C. Affected software versions: Puppet (all) Resolved in pending releases: Puppet 3.6.2 Patch for remediation: puppet-3.6.1-Apache-2.4-requires-explicit-CRL.patch * The Puppet 2.7.x series is officially end of life, but continues to be maintained by community members. Along with Puppet 3.6.2, a "community" release of Puppet 2.7.26 will be issued on our stated disclosure date which addresses the Ruby load path issue.
bugbot adjusting priority
Created attachment 593439 [details] Facter patch
Created attachment 593440 [details] Hiera patch
Created attachment 593441 [details] mcollective patch
Created attachment 593442 [details] Puppet 2.7.25 patch
Created attachment 593443 [details] Puppet 3.6.1 Apache
Created attachment 593444 [details] Puppet 3.6.1
Fixed for SLE12.
Issue is public
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-06-27. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/57825
Affected packages: SLE-11-SP3: puppet
Update released for: puppet, puppet-server Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: puppet, puppet-server Products: SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0880-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 856843,879913 CVE References: CVE-2013-4969,CVE-2014-3248,CVE-2014-3250 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): puppet-2.6.18-0.16.1 SUSE Linux Enterprise Server 11 SP3 (src): puppet-2.6.18-0.16.1 SUSE Linux Enterprise Desktop 11 SP3 (src): puppet-2.6.18-0.16.1