Overview

If a given node or server is missing an auth.conf file in /etc/puppet,
they may be vulnerable to information disclosure or resource
manipulation from authenticated Puppet nodes. In both cases the scope is
limited to the privileges of the remote Puppet process.

Status

  • Resolved in Puppet 2.6.4
  • Earlier versions of Puppet are not vulnerable

Scope

Minimum conditions for server

  • Running 2.6.0, 2.6.1, 2.6.2, 2.6.3 or any other 2.6.x release missing the auth.conf file
  • Attacker has access to SSL credentials of another node.

Minimum conditions for client

  • Running 2.6.0, 2.6.1, 2.6.2, 2.6.3 or any other 2.6.x release missing
    auth.conf file
  • Attacker has access to SSL credentials of another node
  • Puppet client is running as a daemon (not --onetime)
  • Puppet configured in listen mode with --listen
  • Attacker s host is allowed to connect via namespaceauth.conf

Vulnerable Install Methods

  • Install from gems
  • Install from Mac packages
  • Install from source
  • Install from Solaris Blastwave packages

Not Vulnerable Install Methods

  • Install from Debian debs
  • Install from Red Hat RPMs

Note: If you remove auth.conf, you are vulnerable, regardless of install
method.

To determine if you are vulnerable you can execute the puppet resource
command, like so:

$ puppet resource -H attack.target.mydomain user puppet

Secured (auth.conf present):

(Attack against server requires puppetport specification, against client
does not, assuming default ports. )

$ puppet resource -H attack.target.mydomain user puppet --puppetport 8140

/usr/lib/ruby/1.8/puppet/indirector/rest.rb:57:in `deserialize': Error
403 on SERVER: Forbidden request: attack.host.mydomain (x.x.x.x) access
to /resource/user/ [search] authenticated at line 93 (Net::HTTPError)

Insecure (auth.conf missing):

You get the user info:

$ puppet resource -H attack.target.mydomain user puppet
user { 'puppet':

comment => 'Puppet configuration management daemon,,,', uid => '104',

gid => '107',

home => '/var/lib/puppet',

shell => '/bin/false',

password => '*',

ensure => 'present'

}