Vulnerabilities > CVE-2014-3251 - Race Condition vulnerability in multiple products

047910
CVSS 4.4 - MEDIUM
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL

Summary

The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201412-15.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201412-15 (MCollective: Privilege escalation) Two vulnerabilities have been found in MCollective: An untrusted search path vulnerability exists in MCollective (CVE-2014-3248) MCollective does not properly validate server certificates (CVE-2014-3251) Impact : A local attacker can execute arbitrary a Trojan horse shared library, potentially resulting in arbitrary code execution and privilege escalation. Furthermore, a local attacker may be able to establish unauthorized MCollective connections. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id79968
    published2014-12-15
    reporterThis script is Copyright (C) 2014-2015 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79968
    titleGLSA-201412-15 : MCollective: Privilege escalation
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201412-15.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(79968);
      script_version("$Revision: 1.3 $");
      script_cvs_date("$Date: 2015/04/13 14:33:56 $");
    
      script_cve_id("CVE-2014-3248", "CVE-2014-3251");
      script_bugtraq_id(68035, 69235);
      script_xref(name:"GLSA", value:"201412-15");
    
      script_name(english:"GLSA-201412-15 : MCollective: Privilege escalation");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201412-15
    (MCollective: Privilege escalation)
    
        Two vulnerabilities have been found in MCollective:
          An untrusted search path vulnerability exists in MCollective
            (CVE-2014-3248)
          MCollective does not properly validate server certificates
            (CVE-2014-3251)
      
    Impact :
    
        A local attacker can execute arbitrary a Trojan horse shared library,
          potentially resulting in arbitrary code execution and privilege
          escalation. Furthermore, a local attacker may be able to establish
          unauthorized MCollective connections.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201412-15"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All MCollective users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=app-admin/mcollective-2.5.3'"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mcollective");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/12/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"app-admin/mcollective", unaffected:make_list("ge 2.5.3"), vulnerable:make_list("lt 2.5.3"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MCollective");
    }
    
  • NASL familyCGI abuses
    NASL idPUPPET_ENTERPRISE_330.NASL
    descriptionAccording to its self-reported version number, the Puppet Enterprise application installed on the remote host is version 2.8.x or 3.2.x. It is, therefore, affected by multiple vulnerabilities : - An error exists in the
    last seen2020-06-01
    modified2020-06-02
    plugin id77281
    published2014-08-20
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/77281
    titlePuppet Enterprise 2.8.x / 3.2.x Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(77281);
      script_version("1.8");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
    
      script_cve_id("CVE-2014-0198", "CVE-2014-0224", "CVE-2014-3251");
      script_bugtraq_id(67193, 67899, 69235);
    
      script_name(english:"Puppet Enterprise 2.8.x / 3.2.x Multiple Vulnerabilities");
      script_summary(english:"Checks the Puppet Enterprise version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A web application on the remote host is affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the Puppet Enterprise
    application installed on the remote host is version 2.8.x or 3.2.x. It
    is, therefore, affected by multiple vulnerabilities :
    
      - An error exists in the 'do_ssl3_write' function that
        permits a NULL pointer to be dereferenced, which could
        allow denial of service attacks. Note that this issue
        is exploitable only if SSL_MODE_RELEASE_BUFFERS is
        enabled. (CVE-2014-0198)
    
      - An error exists in the processing of ChangeCipherSpec
        messages that allows the usage of weak keying material.
        This permits simplified man-in-the-middle attacks to be
        done. (CVE-2014-0224)
    
      - The MCollective 'aes_security' plugin does not properly
        validate new server certificates. This allows a local
        attacker to spoof a valid MCollective connection. Note
        that this plugin is not enabled by default.
        (CVE-2014-3251)");
      script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/cve-2014-0198");
      script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/cve-2014-0224");
      script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/cve-2014-3251");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Puppet Enterprise 3.3.0 or later.
    
    In the case of the 2.8.x branch, please contact the vendor for
    guidance.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-0224");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/07/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/07/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/08/20");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:puppetlabs:puppet");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("puppet_rest_detect.nasl");
      script_require_keys("puppet/rest_port");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    ##
    # checks if the given version falls between the given bounds, and
    # generates plugin output if it does
    #
    # @anonparam ver version to check
    # @anonparam fix first fixed version
    # @anonparam min_ver the lowest/earliest vulnerable version, relative to 'fix' (optional)
    #
    # @return plugin output if 'ver' is vulnerable relative to 'fix' and/or 'min_ver',
    #         NULL otherwise
    ##
    function _check_version(ver, fix, min_ver, enterprise)
    {
      local_var report;
    
      if (
        # no lower bound
        (isnull(min_ver) && ver_compare(ver:ver, fix:fix, strict:FALSE) < 0) ||
    
        # lower bound
        (
          !isnull(min_ver) &&
          ver_compare(ver:ver, fix:fix, strict:FALSE) < 0 &&
          ver_compare(ver:ver, fix:min_ver, strict:FALSE) >= 0
        )
      )
      {
        if (enterprise)
        {
          report =
            '\n  Installed version : Puppet Enterprise ' + ver +
            '\n  Fixed version     : Puppet Enterprise 3.3.0\n';
        }
        else report = NULL;
      }
      else report = NULL;
    
      return report;
    }
    
    port = get_kb_item_or_exit('puppet/rest_port');
    ver = get_kb_item_or_exit('puppet/' + port + '/version');
    report = NULL;
    vuln = FALSE;
    
    if ('Enterprise' >< ver)
    {
      # convert something like
      #   2.7.19 (Puppet Enterprise 2.7.0)
      # to
      #   2.7.0
      match = eregmatch(string:ver, pattern:"Enterprise ([0-9.]+)\)");
      if (isnull(match)) audit(AUDIT_UNKNOWN_WEB_APP_VER, 'Puppet Enterprise', build_url(port:port));
      ver = match[1];
    
      if (ver =~ "^2\.8\.")
      {
        vuln = TRUE;
        report =
          '\n  Installed version : Puppet Enterprise ' + ver +
          '\n  Fixed version     : See solution.\n';
      }
    
      if (ver =~ "^3\.2\.")
      {
        report = _check_version(ver:ver, fix:'3.3.0', min_ver:'3.2.0', enterprise:TRUE);
        if (!isnull(report))
          vuln = TRUE;
      }
    }
    
    if (!vuln) audit(AUDIT_LISTEN_NOT_VULN, 'Puppet', port, ver);
    
    if (report_verbosity > 0) security_warning(port:port, extra:report);
    else security_warning(port);
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_ECEA9E920BE5493188DA8772D044972A.NASL
    descriptionMelissa Stone reports : The MCollective aes_security public key plugin does not correctly validate certs against the CA. By exploiting this vulnerability within a race/initialization window, an attacker with local access could initiate an unauthorized MCollective client connection with a server, and thus control the mcollective plugins running on that server. This vulnerability requires a collective be configured to use the aes_security plugin. Puppet Enterprise and open source MCollective are not configured to use the plugin and are not vulnerable by default.
    last seen2020-06-01
    modified2020-06-02
    plugin id76630
    published2014-07-22
    reporterThis script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/76630
    titleFreeBSD : mcollective -- cert valication issue (ecea9e92-0be5-4931-88da-8772d044972a)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(76630);
      script_version("1.3");
      script_cvs_date("Date: 2018/11/10 11:49:44");
    
      script_cve_id("CVE-2014-3251");
    
      script_name(english:"FreeBSD : mcollective -- cert valication issue (ecea9e92-0be5-4931-88da-8772d044972a)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Melissa Stone reports :
    
    The MCollective aes_security public key plugin does not correctly
    validate certs against the CA. By exploiting this vulnerability within
    a race/initialization window, an attacker with local access could
    initiate an unauthorized MCollective client connection with a server,
    and thus control the mcollective plugins running on that server. This
    vulnerability requires a collective be configured to use the
    aes_security plugin. Puppet Enterprise and open source MCollective are
    not configured to use the plugin and are not vulnerable by default."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://groups.google.com/forum/#!topic/puppet-announce/cPykqUXMmK4"
      );
      # https://vuxml.freebsd.org/freebsd/ecea9e92-0be5-4931-88da-8772d044972a.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e80e1437"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mcollective");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/07/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/07/22");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"mcollective<2.5.3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");