Posted July 15, 2014
Assessed Risk Level: low
The MCollective `aes_security` public key plugin did not correctly validate new server certs against the CA certificate. By exploiting this vulnerability within a specific race condition window, an attacker with local access could initiate an unauthorized Mcollective client connection with a server. Note that this vulnerability requires a collective be configured to use the aes_security plugin. Puppet Enterprise and open source Mcollective are not configured to use the plugin and are not vulnerable by default.
CVSS v2 score: 3.4 with Vector: AV:L/AC:H/Au:M/C:P/I:N/A:C/E:POC/RL:OF/RC:C
Puppet Enterprise 2.8
Puppet Enterprise 3.2
Puppet Enterprise 3.3.0
Acknowledgement for the responsible disclosure of this vulnerability to Puppet Labs