CVSS 3 Base Score: Posted On: October 1, 2010Assessed Risk Level: NoneIf a given node or server is missing an auth.conf file in /etc/puppet, they may be vulnerable to information disclosure or resource manipulation from authenticated Puppet nodes. In both cases the scope is limited to the privileges of the remote Puppet process.StatusResolved in Puppet 2.6.4Earlier versions of Puppet are not vulnerableScopeMinimum conditions for serverRunning 2.6.0, 2.6.1, 2.6.2, 2.6.3 or any other 2.6.x release missing the auth.conf fileAttacker has access to SSL credentials of another node.Minimum conditions for clientRunning 2.6.0, 2.6.1, 2.6.2, 2.6.3 or any other 2.6.x release missing auth.conf fileAttacker has access to SSL credentials of another nodePuppet client is running as a daemon (not --onetime)Puppet configured in listen mode with --listenAttacker s host is allowed to connect via namespaceauth.confVulnerable Install MethodsInstall from gemsInstall from Mac packagesInstall from sourceInstall from Solaris Blastwave packagesNot Vulnerable Install MethodsInstall from Debian debsInstall from Red Hat RPMsNote: If you remove auth.conf, you are vulnerable, regardless of install method.To determine if you are vulnerable you can execute the puppet resource command, like so:$ puppet resource -H attack.target.mydomain user puppetSecured (auth.conf present):(Attack against server requires puppetport specification, against client does not, assuming default ports. )$ puppet resource -H attack.target.mydomain user puppet --puppetport 8140/usr/lib/ruby/1.8/puppet/indirector/rest.rb:57:in `deserialize': Error 403 on SERVER: Forbidden request: attack.host.mydomain (x.x.x.x) access to /resource/user/ [search] authenticated at line 93 (Net::HTTPError)Insecure (auth.conf missing):You get the user info:$ puppet resource -H attack.target.mydomain user puppet user { 'puppet':comment => 'Puppet configuration management daemon,,,', uid => '104',gid => '107',home => '/var/lib/puppet',shell => '/bin/false',password => '*',ensure => 'present'}Status:Affected software versions:Resolved in:← Back to CVE Listings