Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, installs modules with weak permissions if those permissions were used when the modules were originally built, which might allow local users to read or modify those modules depending on the original permissions.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2013:1284 advisory.

    Puppet allows provisioning, patching, and configuration of clients to be     managed and automated.

    A flaw was found in the way Puppet handled YAML content during     Representational State Transfer (REST) API calls. An attacker could     construct a request containing a crafted YAML payload that would cause the     Puppet master to execute arbitrary code. (CVE-2013-3567)

    It was found that resource_type requests could be used to cause the Puppet     master to load and run Ruby files from anywhere on the file system. In     non-default configurations, a local user on the Puppet master server could     use this flaw to have arbitrary Ruby code executed with the privileges of     the Puppet master. (CVE-2013-4761)

    It was found that Puppet Module Tool (that is, running puppet module     commands from the command line) applied incorrect permissions to installed     modules. If a malicious, local user had write access to the Puppet module     directory, they could use this flaw to modify the modules and therefore     execute arbitrary code with the privileges of the Puppet master.
    (CVE-2013-4956)

    Red Hat would like to thank Puppet Labs for reporting these issues.
    Upstream acknowledges Ben Murphy as the original reporter of CVE-2013-3567.

    These ruby193-puppet packages are used by Foreman, which provides     facilities for rapidly deploying Red Hat OpenStack 3.0. In this use case,     Puppet master is used and exposed to these issues. Note that Foreman is     provided as a Technology Preview. For more information on the scope and     nature of support for items marked as Technology Preview, refer to     https://access.redhat.com/support/offerings/techpreview/

    Users of Red Hat OpenStack 3.0 are advised to upgrade to these updated     packages, which correct these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Solaris system is missing necessary patches to address security updates :

  - Unspecified vulnerability in Puppet 2.7.x before 2.7.23     and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x     before 2.8.3 and 3.0.x before 3.0.1, allows remote     attackers to execute arbitrary Ruby programs from the     master via the resource_type service. NOTE: this     vulnerability can only be exploited utilizing     unspecified 'local file system access' to the Puppet     Master. (CVE-2013-4761)

  - Puppet Module Tool (PMT), as used in Puppet 2.7.x before     2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise     2.8.x before 2.8.3 and 3.0.x before 3.0.1, installs     modules with weak permissions if those permissions were     used when the modules were originally built, which might     allow local users to read or modify those modules     depending on the original permissions. (CVE-2013-4956)

According to its self-reported version number, the Puppet Enterprise install on the remote host is a version prior to 3.0.1.  As a result, it reportedly has multiple vulnerabilities:

  - An error exists related to the included Ruby SSL client     that could allow man-in-the-middle attacks.
    (CVE-2013-4073)

  - An error exists related to the 'resource_type' service     that could allow a local attacker to cause arbitrary     Ruby files to be executed. (CVE-2013-4761)

  - Multiple session vulnerabilities exist that could     allow an attacker to hijack an arbitrary session and     gain unauthorized access. (CVE-2013-4762, CVE-2013-4964)

  - An error exists related to 'Puppet Module Tool' (PMT)     and improper permissions. (CVE-2013-4956)

  - Multiple security bypass vulnerabilities exist that     could allow an attacker to gain unauthorized access     and perform sensitive transactions. (CVE-2013-4958,     CVE-2013-4962)

  - Multiple information disclosure vulnerabilities exist     that could allow an attacker to access sensitive     information such as server software versions, MAC     addresses, SSH keys, and database passwords.
    (CVE-2013-4959, CVE-2013-4961, CVE-2013-4967)

  - An open-redirection vulnerability exists that could     allow an attacker to attempt a phishing attack.
    (CVE-2013-4955)

  - Clickjacking and cross-site-scripting vulnerabilities     exist that could allow an attacker to trick users into     sending them sensitive information such as passwords.
    (CVE-2013-4968)

  - A cross-site request forgery vulnerability exists that     could allow an attacker to manipulate a logged in user's     browser to perform sensitive transactions on the user's     behalf. (CVE-2013-4963)

According to its self-reported version number, the Puppet install on the remote host has multiple vulnerabilities:

  - By using the 'resource_type' service, an attacker could     cause Puppet to load arbitrary Ruby files from the     Puppet Master node's file system. While this behavior is     not enabled by default, 'auth.conf' settings could be     modified to allow it. The exploit requires local file     system access to the Puppet Master. (CVE-2013-4761)

  - Puppet Module Tool (PMT) installs modules with weak     permissions if those permissions were used when the     modules were originally built. This could allow     attackers to bypass certain security restrictions and     perform unauthorized actions. (CVE-2013-4956)

Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified 'local file system access' to the Puppet Master.

Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, installs modules with weak permissions if those permissions were used when the modules were originally built, which might allow local users to read or modify those modules depending on the original permissions.

Several vulnerabilities were discovered in puppet, a centralized configuration management system. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2013-4761     The 'resource_type' service (disabled by default) could     be used to make puppet load arbitrary Ruby code from     puppet master's file system.

  - CVE-2013-4956     Modules installed with the Puppet Module Tool might be     installed with weak permissions, possibly allowing local     users to read or modify them.

The stable distribution (wheezy) has been updated to version 2.7.33 of puppet. This version includes the patches for all the previous DSAs related to puppet in wheezy. In this version, the puppet report format is now correctly reported as version 3.

It is to be expected that future DSAs for puppet update to a newer, bug fix-only, release of the 2.7 branch.

The oldstable distribution (squeeze) has not been updated for this advisory: as of this time there is no fix for CVE-2013-4761 and the package is not affected by CVE-2013-4956.

Updated puppet and puppet3 package fix security vulnerabilities :

It was discovered that Puppet incorrectly handled the resource_type service. A local attacker on the master could use this issue to execute arbitrary Ruby files (CVE-2013-4761).

It was discovered that Puppet incorrectly handled permissions on the modules it installed. Modules could be installed with the permissions that existed when they were built, possibly exposing them to a local attacker (CVE-2013-4956).

The remote host is affected by the vulnerability described in GLSA-201308-04 (Puppet: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Puppet. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process, cause a Denial of Service condition, obtain       sensitive information, or bypass security restrictions.
  Workaround :

    There is no known workaround at this time.

Puppet Labs reports :

By using the `resource_type` service, an attacker could cause puppet to load arbitrary Ruby files from the puppet master node's file system. While this behavior is not enabled by default, `auth.conf` settings could be modified to allow it. The exploit requires local file system access to the Puppet Master.

Puppet Module Tool (PMT) did not correctly control permissions of modules it installed, instead transferring permissions that existed when the module was built.

It was discovered that Puppet incorrectly handled the resource_type service. A local attacker on the master could use this issue to execute arbitrary Ruby files. (CVE-2013-4761)

It was discovered that Puppet incorrectly handled permissions on the modules it installed. Modules could be installed with the permissions that existed when they were built, possibly exposing them to a local attacker. (CVE-2013-4956).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
193828	RHEL 6 : ruby193-puppet (RHSA-2013:1284)	Nessus	Red Hat Local Security Checks	high
80744	Oracle Solaris Third-Party Patch Update : puppet (multiple_vulnerabilities_in_puppet)	Nessus	Solaris Local Security Checks	medium
70663	Puppet Enterprise < 3.0.1 Multiple Vulnerabilities	Nessus	CGI abuses	medium
70661	Puppet 2.7.x / 3.2.x < 2.7.23 / 3.2.4 and Enterprise 2.8.x / 3.0.x < 2.8.3 / 3.0.1 Multiple Vulnerabilities	Nessus	CGI abuses	medium
70223	Amazon Linux AMI : puppet (ALAS-2013-219)	Nessus	Amazon Linux Local Security Checks	medium
70002	Debian DSA-2761-1 : puppet - several vulnerabilities	Nessus	Debian Local Security Checks	medium
69491	Mandriva Linux Security Advisory : puppet (MDVSA-2013:222)	Nessus	Mandriva Local Security Checks	medium
69464	GLSA-201308-04 : Puppet: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
69395	FreeBSD : puppet -- multiple vulnerabilities (2b2f6092-0694-11e3-9e8e-000c29f6ae42)	Nessus	FreeBSD Local Security Checks	medium
69373	Ubuntu 12.04 LTS / 12.10 / 13.04 : puppet vulnerabilities (USN-1928-1)	Nessus	Ubuntu Local Security Checks	medium

Detections

Analytics

CVE-2013-4956

medium

Tenable Plugins

high

medium

medium

medium

medium

medium

medium

high

medium

medium