[Pkg-puppet-devel] CVE-2012-3408 Puppet allows agents with certnames of IP addresses to be impersonated

Stig Sandbeck Mathisen ssm at debian.org
Tue Jul 17 14:10:18 UTC 2012

Henri Salo <henri at nerv.fi> writes:

> Could you tell me in which patch CVE-2012-3408 was fixed exactly and
> how?

It was fixed by Puppet Labs in revision ab9150b by deprecating it in
2.7.18 (by logging a warning message), and removing it in 3.x. I was of
the impression that this made it into the squeeze security release, but
I was mistaken. Sorry. :/

> I would like to verify this issue as I see this as critical security
> vulnerability.

Puppet labs sees it as a "low-risk" security vulnerability.

In order to be vulnerable, you have to:

 * Explicitly configure "certname=<ipaddress>" in puppet.conf. The
   default is the fully qualified domain name.

 * Allow others access to the network your agent runs on, as well as
   taking its IP address, or using man-in-the-middle techniques to
   impersonate this IP address.

Stig Sandbeck Mathisen <ssm at debian.org>

More information about the Pkg-puppet-devel mailing list