[Pkg-puppet-devel] CVE-2012-3408 Puppet allows agents with certnames of IP addresses to be impersonated
Stig Sandbeck Mathisen
ssm at debian.org
Tue Jul 17 14:10:18 UTC 2012
Henri Salo <henri at nerv.fi> writes:
> Could you tell me in which patch CVE-2012-3408 was fixed exactly and
> how?
It was fixed by Puppet Labs in revision ab9150b by deprecating it in
2.7.18 (by logging a warning message), and removing it in 3.x. I was of
the impression that this made it into the squeeze security release, but
I was mistaken. Sorry. :/
> I would like to verify this issue as I see this as critical security
> vulnerability.
Puppet labs sees it as a "low-risk" security vulnerability.
(http://puppetlabs.com/security/cve/cve-2012-3408/).
In order to be vulnerable, you have to:
* Explicitly configure "certname=<ipaddress>" in puppet.conf. The
default is the fully qualified domain name.
* Allow others access to the network your agent runs on, as well as
taking its IP address, or using man-in-the-middle techniques to
impersonate this IP address.
--
Stig Sandbeck Mathisen <ssm at debian.org>
More information about the Pkg-puppet-devel
mailing list