CVE-2014-3251 (MCollective 'aes_security' Plugin Certificate Validation)

  • Posted July 15, 2014

  • Assessed Risk Level: low

The MCollective `aes_security` public key plugin did not correctly validate new server certs against the CA certificate. By exploiting this vulnerability within a specific race condition window, an attacker with local access could initiate an unauthorized Mcollective client connection with a server. Note that this vulnerability requires a collective be configured to use the aes_security plugin. Puppet Enterprise and open source Mcollective are not configured to use the plugin and are not vulnerable by default.
CVSS v2 score: 3.4 with Vector: AV:L/AC:H/Au:M/C:P/I:N/A:C/E:POC/RL:OF/RC:C
Affected Platforms:
Mcollective (all)
Puppet Enterprise 2.8
Puppet Enterprise 3.2
Resolved In:
Mcollective 2.5.3
Puppet Enterprise 3.3.0


Acknowledgement for the responsible disclosure of this vulnerability to Puppet Labs

  • Mark Chappell