[Bug 861182] Re: Remote directory traversal, allows write to arbitrary locations

Wed Oct 5 20:21:58 UTC 2011

Pocket copied puppet to hardy-proposed. Please test and give feedback
here. See https://wiki.ubuntu.com/Testing/EnableProposed for
documentation on how to enable and use -proposed. Thank you in advance!

** Tags removed: security-verification
** Tags added: verification-needed

** Description changed:

- IMPORTANT: THIS BUG SHOULD REMAIN PRIVATE SINCE IT DISCLOSES HOW TO
- EXPLOIT THE VULNERABILITY
- 
- From: Michael Stahnke <REDACTED
- Subject: High severity vulnerability found in Puppet (CVE-2011-3848) [not yet public]
- Date: 27 September 2011 20:29:25 EDT
- To: <REDACTED>
- 
  There has been a critical vulnerability discovered in Puppet
  (CVE-2011-3848).  Puppet Labs is currently working with distribution
  maintainers, as well as key customers to ensure we are able to patch
  this vulnerability before it is exploited.
- 
- The CVE and issue have not been made public yet.  We appreciate
- your discretion at this time.
- 
- # Explanation  #
- 
-    Kristian Erik Hermansen <kristian.hermansen at gmail.com> reported that
-    an unauthenticated directory traversal could drop any valid X.509
-    Certificate Signing Request at any location on disk, with the
-    privileges of the Puppet Master application.  This was found in the
-    2.7 series of Puppet, but the underlying vulnerability existed in
-    earlier releases and could be accessed with different hostile inputs.
- 
-    There are also some additional quirks of input handling that make it
-    easier to obfuscate the input.
- 
-    To exploit on 2.7 a valid CSR is sent as a PUT request:
- 
-        """ $ curl -k -X PUT -H "Content-Type: text/plain" --data-binary
-        @data
-        https://puppetmaster:8140/production/certificate_request/%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252Ftmp%252Fpoison
-        """
- 
-    This exploits an input quirk where the "key" in the URI is
-    double-decoded; this would also work for a single URI-encoded input
-    string.
- 
-    On 2.6 this is ignored, but the CN in the Subject of the CSR is used
-    in the same way, and could be exploited to drop the CSR content at an
-    arbitrary location on disk.  The suffix ".pem" is always appended to
-    the location.
- 
-    In the 0.25 series the same CN-based injection can occur, as the
-    underlying flaw still exists.
- 
-    In all cases this requires that the input data can be loaded through
-    OpenSSL as a CSR, and will fail before touching disk if that is not
-    valid data.
- 
-    Be aware that both double-encoded and single-encoded URI patterns will
-    work, equivalently, in Puppet 2.7.  No URI decoding is done on the CN
-    of the CSR Subject.

  # Commit message for fix #

  I have included patches for the 0.25.x, 2.6.x, and 2.7.x branches.

    Author: Daniel Pittman <daniel at puppetlabs.comDate:   Sat Sep
    24 12:44:20 2011 -0700

    Resist directory traversal attacks through indirections.

    In various versions of Puppet it was possible to cause a directory
    traversal attack through the SSLFile indirection base class.
    This was variously triggered through the user-supplied key, or
    the Subject of the certificate, in the code.

    Now, we detect bad patterns down in the base class for our
    indirections, and fail hard on them.  This reduces the attack
    surface with as little disruption to the overall codebase as
    possible, making it suitable to deploy as part of older, stable
    versions of Puppet.

    In the long term we will also address this higher up the stack,
    to prevent these problems from reoccurring, but for now this
    will suffice.

    Huge thanks to Kristian Erik Hermansen <kristian.hermansen at gmail.com>
    for the responsible disclosure, and useful analysis, around
    this defect.

    Signed-off-by: Daniel Pittman <daniel at puppetlabs.com>
- 
- # Plan #
- 
- Puppet Labs is currently rebuilding tarballs and packages of Puppet.
- This will result in the following new source packages:
- *  Puppet 2.6.10
- *  Puppet 2.7.4 ( this is in an RC series now,
-    and will go final with the attached patch merged in)
- * 2.6.10 and  2.7.4 will be available on downloads.puppetlabs.com/puppet as
-     soon as possible. Likely sometime before 28 Sep at 08:00 UTC.
- * Puppet Labs will also push to rubygems.org for those using gems.
- * Everything in Puppet Enterprise will be updated and packaged
-   by Puppet Labs this includes PE 1.0, 1.1 and 1.2
- 
- # Action #
- 
- We (Puppet Labs) obviously would like everybody to be as protected
- from attacks as possible. We have not disclosed this issue publicly
- yet.  We will like do so sometime on 28 Sep, but it could be on 29
- Sep if you're UTC or greater.
- 
- We will announce the issue, as well as download locations for fixes
- on our puppet-users, puppet-announce, puppet-dev and pe-users mailing
- lists. At that time we will also get back in contact with  cve.mitre.org
- to have them update the CVE.
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3848
- 
- # Note for 0.25 users #
- 
- If you're still shipping/using 0.25, we have included a patch that
- applies cleanly to our git tree, but will not be releasing any
- upstream source of it.
- 
- If you have any questions or need additional clarification on
- anything, please respond to security at puppetlabs.com.
- 
- Thanks, Michael Stahnke
- Release Manager -- Puppet Labs

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to puppet in Ubuntu.
https://bugs.launchpad.net/bugs/861182

Title:
  Remote directory traversal, allows write to arbitrary locations

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/861182/+subscriptions