A bug in Puppet allows agents with certnames of IP addresses to be impersonated.
This vulnerability exists in setups where certnames are set to host IP addresses. If an authenticated host with a certname of an IP address changes IP addresses, and a second host assumes the first host's former IP address, the second host will be treated by the puppet master as the first one, giving the second host access to the first host's catalog. Note that IP-based authentication will be available via the allow_ip
keyword in Puppet 3.x, but will not be disabled in prior versions. Using IP-based authentication in 2.7.x will result in a deprecation warning. This considered a low-risk vulnerability.
- IP-based authentication deprecated in 2.7.18 (source), release notes, rpm, deb, dmg, windows
- IP-based authentication deprecated in Puppet Enterprise 2.5.2
- Hotfixes with deprecation available for Puppet Enterprise 2.0.x
- allow_ip keyword added to Puppet 3.x