Important Security Announcement: AltNames Vulnerability
OVERVIEW We have discovered a security vulnerability (“AltNames Vulnerability”) whereby a malicious attacker can impersonate the Puppet master using credentials from a Puppet agent node. This vulnerability cannot cross Puppet deployments, but it can allow an attacker with elevated privileges on one Puppet-managed node to gain control of any other Puppet-managed node within the same infrastructure. All Puppet Enterprise deployments are vulnerable, and Puppet open source deployments may be, depending upon their site configuration. We believe this to be a serious risk, and we have confirmed this with security experts outside of Puppet Labs. You can immediately protect yourself from this vulnerability with the following steps:
- Prevent your Puppet CA from issuing any more dangerous certificates
- Create a new DNS entry for the Puppet master
- Issue a new Puppet master certificate with its new DNS name
- Configure all Puppet agent nodes to contact the Puppet master at its new name
- Attacks on this vulnerability are not possible unless the “certdnsnames” setting has been activated on the Puppet master at some point during the lifetime of the current CA certificate. Note that all installations of Puppet Enterprise have used the “certdnsnames” setting for at least part of their lifecycle.
- Attacks on this vulnerability require a private key and a signed certificate with the Puppet master's DNS alt names. The likelihood of an attacker obtaining a certificate and a private key varies depending on certificate signing policies and the types of machines managed by Puppet. An attacker is least likely to obtain them at sites where all certificates must be signed manually and are only issued to servers with no root access; an attacker is most likely to obtain them at sites where certificates are autosigned and user laptops are managed by Puppet.
- This vulnerability is not relevant if Puppet is being used in a masterless configuration where each node compiles its own catalog.
- Normal limitations on man-in-the-middle attacks apply.