Puppet Execution Protocol (PXP) Command Whitelist Validation Vulnerability

  • Posted October 20, 2016

  • Assessed Risk Level: Critical

    Note: Considered alone this vulnerability is High Risk, but in combination with the PCP Broker vulnerability this becomes Critical.
  • CVSS 3 Base Score: 7.6

Puppet Agent 1.3.6 added a whitelist to prevent arbitrary options from being passed to Puppet runs triggered through the Puppet Communications Protocol (PCP). There was an issue with command validation that allowed this whitelist to be bypassed. This can potentially lead to arbitrary code execution on Puppet Agent nodes in Puppet Enterprise prior to 2016.4.0.

Default configurations of FOSS Puppet Agent are not vulnerable.

Reported by NCC Group.


Affected Software Versions:

  • Puppet Enterprise 2015.3.3
  • Puppet Enterprise 2016.x prior to 2016.4.0
  • Puppet Agent 1.3.6 - 1.7.0

Resolved in:

  • Puppet Enterprise 2016.4.0
  • Puppet Agent 1.7.1