Vulnerabilities > CVE-2016-5715 - Open Redirect vulnerability in Puppet Enterprise
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
Open redirect vulnerability in the Console in Puppet Enterprise 2015.x and 2016.x before 2016.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the redirect parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6501.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Fake the Source of Data An adversary provides data under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or it might be an attempt by the adversary to assume the rights granted to another identity. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
Nessus
NASL family CGI abuses NASL id PUPPET_ENTERPRISE_421_470.NASL description According to its self-reported version number, the Puppet Enterprise application running on the remote host is version 2015.x or 2016.x prior to 2016.4.0. It is, therefore, affected by the following vulnerabilities : - A cross-site redirection vulnerability exists within the /auth/login script due to improper validation of user-supplied input to the last seen 2020-06-01 modified 2020-06-02 plugin id 95392 published 2016-11-29 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95392 title Puppet Enterprise 2015.x / 2016.x < 2016.4.0 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(95392); script_version("1.8"); script_cvs_date("Date: 2019/11/14"); script_cve_id("CVE-2016-5715"); script_bugtraq_id(93846); script_name(english:"Puppet Enterprise 2015.x / 2016.x < 2016.4.0 Multiple Vulnerabilities"); script_summary(english:"Checks the Puppet Enterprise version."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the Puppet Enterprise application running on the remote host is version 2015.x or 2016.x prior to 2016.4.0. It is, therefore, affected by the following vulnerabilities : - A cross-site redirection vulnerability exists within the /auth/login script due to improper validation of user-supplied input to the 'redirect' parameter in a GET request. An unauthenticated, remote attacker can exploit this issue, by convincing a user to follow a specially crafted link, to redirect the user to a website of the attacker's own choosing, which can then be used to conduct further attacks. Note that this vulnerability was thought to have been resolved by the fix for CVE-2015-6501, but the fix was incomplete. Puppet Enterprise 2016.4.0 includes a fix for this vulnerability. (CVE-2015-5715) - A flaw exists in the Puppet Enterprise Console due to unsafe string processing that allows an authenticated, remote attacker to execute arbitrary code."); script_set_attribute(attribute:"see_also", value:"https://puppet.com/docs/puppet/6.0/release_notes.html"); script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/cve-2016-5715"); script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/pe-console-oct-2016"); script_set_attribute(attribute:"solution", value: "Upgrade to Puppet Enterprise version 2016.4.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5715"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/14"); script_set_attribute(attribute:"patch_publication_date", value:"2016/09/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/29"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:puppetlabs:puppet"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("puppet_enterprise_console_detect.nasl", "puppet_rest_detect.nasl"); script_require_keys("puppet/rest_port", "installed_sw/puppet_enterprise_console"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # Make sure we detected a version port = get_kb_item_or_exit('puppet/rest_port'); ver = get_kb_item_or_exit('puppet/' + port + '/version'); # Make sure the Console service is running get_kb_item_or_exit('installed_sw/puppet_enterprise_console'); min_ver = '4.2.1'; # aka 2015.2.0; earliest 2015.x fix_ver = '4.7.0'; # aka 2016.4.0 if(ver_compare(ver:ver, fix:fix_ver, minver: min_ver, strict:FALSE) < 0) { report = '\n Installed version : Puppet Enterprise ' + ver + '\n Fixed version : Puppet Enterprise 4.7.0 (2016.4.0)' + '\n'; security_report_v4(port:port, extra:report, severity:SECURITY_WARNING); } else { audit(AUDIT_LISTEN_NOT_VULN, 'Puppet Enterprise', port, ver); }
NASL family CGI abuses NASL id PUPPET_ENTERPRISE_2_3_2.NASL description According to its self-reported version number, the Puppet Enterprise application running on the remote host is version 2015.x or 2016.x prior to 2016.4.0. It is, therefore, affected by the following vulnerabilities : - A cross-site redirection vulnerability exists within the /auth/login script due to improper validation of user-supplied input to the last seen 2020-06-01 modified 2020-06-02 plugin id 129764 published 2019-10-09 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129764 title Puppet Enterprise 2015.x / 2016.x < 2016.4.0 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(129764); script_version("1.3"); script_cvs_date("Date: 2019/11/14"); script_cve_id("CVE-2016-5715"); script_bugtraq_id(93846); script_name(english:"Puppet Enterprise 2015.x / 2016.x < 2016.4.0 Multiple Vulnerabilities"); script_summary(english:"Checks the Puppet Enterprise version."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the Puppet Enterprise application running on the remote host is version 2015.x or 2016.x prior to 2016.4.0. It is, therefore, affected by the following vulnerabilities : - A cross-site redirection vulnerability exists within the /auth/login script due to improper validation of user-supplied input to the 'redirect' parameter in a GET request. An unauthenticated, remote attacker can exploit this issue, by convincing a user to follow a specially crafted link, to redirect the user to a website of the attacker's own choosing, which can then be used to conduct further attacks. Note that this vulnerability was thought to have been resolved by the fix for CVE-2015-6501, but the fix was incomplete. Puppet Enterprise 2016.4.0 includes a fix for this vulnerability. (CVE-2016-5715) - A flaw exists in the Puppet Enterprise Console due to unsafe string processing that allows an authenticated, remote attacker to execute arbitrary code."); script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/cve-2016-5715"); script_set_attribute(attribute:"solution", value: "Upgrade to Puppet Enterprise version 2016.4.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5715"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/20"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:puppetlabs:puppet"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("puppet_enterprise_console_detect.nasl", "puppet_rest_detect.nasl"); script_require_keys("puppet/rest_port", "installed_sw/puppet_enterprise_console"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # Make sure we detected a version port = get_kb_item_or_exit('puppet/rest_port'); ver = get_kb_item_or_exit('puppet/' + port + '/version'); # Make sure the Console service is running get_kb_item_or_exit('installed_sw/puppet_enterprise_console'); min_ver = '4.2.1'; # aka 2015.2.0; earliest 2015.x fix_ver = '4.7.0'; # aka 2016.4.0 if(ver_compare(ver:ver, fix:fix_ver, minver: min_ver, strict:FALSE) < 0) { report = '\n Installed version : Puppet Enterprise ' + ver + '\n Fixed version : Puppet Enterprise 4.7.0 (2016.4.0)' + '\n'; security_report_v4(port:port, extra:report, severity:SECURITY_WARNING); } else { audit(AUDIT_LISTEN_NOT_VULN, 'Puppet Enterprise', port, ver); }
NASL family CGI abuses NASL id PUPPET_ENTERPRISE_2016_4_0.NASL description According to its self-reported version number, the Puppet Enterprise application running on the remote host is version prior to 2016.2.1. It is, therefore, affected by the following vulnerabilities : - An information disclosure vulnerability exists in the environment catalog component. An unauthenticated remote attacker can exploit this issue to retrieve access to the enviroment catalogs which may reveal sensitive information about infrastructure of application orchestration users.(CVE-2016-5714) - An url redirection vulnerability exists in the next page transition. An unauthenticated remote attacker can exploit this issue to create believable phishing attacks.(CVE-2016-5715) last seen 2020-06-01 modified 2020-06-02 plugin id 129754 published 2019-10-09 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129754 title Puppet Enterprise < 2016.4.0 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(129754); script_version("1.3"); script_cvs_date("Date: 2019/11/14"); script_cve_id("CVE-2016-5714", "CVE-2016-5715"); script_bugtraq_id(93846); script_name(english:"Puppet Enterprise < 2016.4.0 Multiple Vulnerabilities"); script_summary(english:"Checks the Puppet Enterprise version."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the Puppet Enterprise application running on the remote host is version prior to 2016.2.1. It is, therefore, affected by the following vulnerabilities : - An information disclosure vulnerability exists in the environment catalog component. An unauthenticated remote attacker can exploit this issue to retrieve access to the enviroment catalogs which may reveal sensitive information about infrastructure of application orchestration users.(CVE-2016-5714) - An url redirection vulnerability exists in the next page transition. An unauthenticated remote attacker can exploit this issue to create believable phishing attacks.(CVE-2016-5715)"); script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/CVE-2016-5714"); script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/CVE-2016-5715"); script_set_attribute(attribute:"solution", value: "Upgrade to Puppet Enterprise version 2016.4.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5714"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/20"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:puppetlabs:puppet"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("puppet_enterprise_console_detect.nasl", "puppet_rest_detect.nasl"); script_require_keys("puppet/rest_port", "installed_sw/puppet_enterprise_console"); exit(0); } include('vcf.inc'); include('http.inc'); app = 'Puppet REST API'; # we get both enterprise and open-source versions from the api... # Make sure we detected a version port = get_kb_item_or_exit('puppet/rest_port'); ver = get_kb_item_or_exit('puppet/' + port + '/version'); # Make sure the Console service is running get_kb_item_or_exit('installed_sw/puppet_enterprise_console'); app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE, kb_ver: 'puppet/' + port + '/version'); # version info obtained from https://puppet.com/docs/pe/2016.2/overview_version_table.html constraints = [ {"min_version" : "3.0.0", "fixed_version" : "4.7.0", "fixed_display" : "Puppet Enterprise (2016.4.0)"} ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
Packetstorm
data source | https://packetstormsecurity.com/files/download/139302/PUPPET-AUTHENTICATION-REDIRECT.txt |
id | PACKETSTORM:139302 |
last seen | 2016-12-05 |
published | 2016-10-22 |
reporter | hyp3rlinx |
source | https://packetstormsecurity.com/files/139302/Puppet-Enterprise-Web-Interface-Open-Redirect.html |
title | Puppet Enterprise Web Interface Open Redirect |
References
- http://hyp3rlinx.altervista.org/advisories/PUPPET-AUTHENTICATION-REDIRECT.txt
- http://hyp3rlinx.altervista.org/advisories/PUPPET-AUTHENTICATION-REDIRECT.txt
- http://packetstormsecurity.com/files/139302/Puppet-Enterprise-Web-Interface-Open-Redirect.html
- http://packetstormsecurity.com/files/139302/Puppet-Enterprise-Web-Interface-Open-Redirect.html
- http://www.securityfocus.com/archive/1/539618/100/0/threaded
- http://www.securityfocus.com/archive/1/539618/100/0/threaded
- http://www.securityfocus.com/bid/93846
- http://www.securityfocus.com/bid/93846
- https://puppet.com/security/cve/cve-2016-5715
- https://puppet.com/security/cve/cve-2016-5715