Overview

CVE-2018-1000201 - DLL Loading Issue Affecting FFI on Windows

  • Posted June 25, 2018

  • Assessed Risk Level: High

A vulnerability was discovered in FFI that could result in privilege escalation and arbitrary code execution on Windows. This vulnerability has been resolved in Puppet Agent 1.10.13, 5.3.7 and 5.5.2. Puppet Enterprise 2016.4.13, 2017.3.8 and 2018.1.2 include versions of Puppet Agent that have had this vulnerability resolved. This vulnerability only affects Puppet Agent running on Windows.

For more information about the vulnerability, refer to the vulnerability writeup.

This vulnerability was initially reported to us by Matt Bush at The Missing Link Security.

Status:

Affected software versions:

  • Puppet agent 1.x prior to 1.10.13
  • Puppet agent 4.x
  • Puppet agent 5.x prior to 5.3.7
  • Puppet agent 5.4.x
  • Puppet agent 5.5.x prior to 5.5.2

Resolved in:

  • Puppet agent 1.10.13
  • Puppet agent 5.3.7
  • Puppet agent 5.5.2
  • Puppet Enterprise 2016.4.13
  • Puppet Enterprise 2017.3.8
  • Puppet Enterprise 2018.1.2