Vulnerabilities > CVE-2017-2292 - Deserialization of Untrusted Data vulnerability in Puppet Mcollective

047910
CVSS 9.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
HIGH
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
LOW
network
low complexity
puppet
CWE-502
critical
nessus
NVD
Published: 2017-06-30
Updated: 2017-09-06

Summary

Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.

Vulnerable Configurations

Part Description Count
Application
Puppet
64

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyCGI abuses
    NASL idPUPPET_ENTERPRISE_2016_4_5.NASL
    descriptionAccording to its self-reported version number, the Puppet install on the remote host is affected by multiple vulnerabilities : - A remote command execution vulnerability exists in the MCollective plugin due to unsafe YAML deserialization. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. (CVE-2017-2292, CVE-2017-2295) - An arbitrary package install vulnerability exists in the MCollective plugin due to unsafe default configuration. An unauthenticated, remote attacker can exploit this to install or remove packages on all managed agents. (CVE-2017-2293) - An information disclosure vulnerability exists in the MCollective plugin due to unsafe storage of server private keys. An unauthenticated, remote attacker can exploit this to view sensitive private keys. (CVE-2017-2294) - An authentication bypass vulnerability exists in labled RBAC access tokens. An unauthenticated, attacker can exploit this, to bypass authentication and execute arbitrary actions of users configured to use labeled RBAC access tokens. This issue has been fixed in Puppet Enterprise 2016.4.5 and 2017.2.1. This only affects users with labeled tokens, which is not the default for tokens. (CVE-2017-2297)
    last seen2020-06-01
    modified2020-06-02
    plugin id129755
    published2019-10-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129755
    titlePuppet Enterprise < 2016.4.5 / 2016.5.x / 2017.1.x Multiple Vulnerabilities
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(129755);
  script_version("1.2");
  script_cvs_date("Date: 2019/10/17 14:31:04");

  script_cve_id(
    "CVE-2017-2292",
    "CVE-2017-2293",
    "CVE-2017-2294",
    "CVE-2017-2295",
    "CVE-2017-2297"
  );
  script_bugtraq_id(98582);

  script_name(english:"Puppet Enterprise < 2016.4.5 / 2016.5.x / 2017.1.x Multiple Vulnerabilities");
  script_summary(english:"Checks the Puppet Enterprise version.");

  script_set_attribute(attribute:"synopsis", value:
"A web application running on the remote host is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Puppet install on
the remote host is affected by multiple vulnerabilities :

  - A remote command execution vulnerability exists in the MCollective plugin
    due to unsafe YAML deserialization. An unauthenticated, remote attacker 
    can exploit this to bypass authentication and execute arbitrary commands. 
    (CVE-2017-2292, CVE-2017-2295)

  - An arbitrary package install vulnerability exists in the MCollective plugin
    due to unsafe default configuration. An unauthenticated, remote attacker 
    can exploit this to install or remove packages on all managed agents.
    (CVE-2017-2293)

  - An information disclosure vulnerability exists in the MCollective plugin
    due to unsafe storage of server private keys. An unauthenticated, remote attacker 
    can exploit this to view sensitive private keys.
    (CVE-2017-2294)
  
  - An authentication bypass vulnerability exists in labled RBAC access tokens. 
    An unauthenticated, attacker can exploit this, to bypass authentication 
    and execute arbitrary actions of users configured to use labeled RBAC
    access tokens. This issue has been fixed in Puppet Enterprise 2016.4.5 
    and 2017.2.1. This only affects users with labeled tokens, which is 
    not the default for tokens. (CVE-2017-2297)");
  script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/CVE-2017-2292");
  script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/CVE-2017-2293");
  script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/CVE-2017-2294");
  script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/CVE-2017-2295");
  script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/CVE-2017-2297");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Puppet Enterprise version 2016.4.5 / 2017.2.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-2292");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/05/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/09");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:puppetlabs:puppet");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("puppet_enterprise_console_detect.nasl", "puppet_rest_detect.nasl");
  script_require_keys("puppet/rest_port", "installed_sw/puppet_enterprise_console");

  exit(0);
}

include('vcf.inc');
include('http.inc');

app = 'Puppet REST API'; # we get both enterprise and open-source versions from the api...

# Make sure we detected a version 
port = get_kb_item_or_exit('puppet/rest_port');
ver = get_kb_item_or_exit('puppet/' + port + '/version');

# Make sure the Console service is running
get_kb_item_or_exit('installed_sw/puppet_enterprise_console');

app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE, kb_ver: 'puppet/' + port + '/version');

# version info obtained from https://puppet.com/docs/pe/2018.1/component_versions_in_recent_pe_releases.html
constraints = [
  {"min_version" : "4.0.0", "fixed_version" : "4.10.1", "fixed_display" : "Puppet Enterprise (2016.4.5 / 2017.2.1)"}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201709-01.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201709-01 (MCollective: Remote Code Execution) A vulnerability was discovered in MCollective which allowed for deserialized YAML from agents without calling safe_load. This allows the potential for arbitrary code execution on the server. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id102942
    published2017-09-05
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/102942
    titleGLSA-201709-01 : MCollective: Remote Code Execution
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 201709-01.
#
# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(102942);
  script_version("$Revision: 3.2 $");
  script_cvs_date("$Date: 2018/01/26 17:15:57 $");

  script_cve_id("CVE-2017-2292");
  script_xref(name:"GLSA", value:"201709-01");

  script_name(english:"GLSA-201709-01 : MCollective: Remote Code Execution");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-201709-01
(MCollective: Remote Code Execution)

    A vulnerability was discovered in MCollective which allowed for
      deserialized YAML from agents without calling safe_load. This allows the
      potential for arbitrary code execution on the server.
  
Impact :

    A remote attacker could possibly execute arbitrary code with the
      privileges of the process or cause a Denial of Service condition.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/201709-01"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All MCollective users should upgrade to the latest version:
      # emerge --sync
      # emerge --ask --oneshot --verbose '>=app-admin/mcollective-2.11.0'"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mcollective");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/09/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/05");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"app-admin/mcollective", unaffected:make_list("ge 2.11.0"), vulnerable:make_list("lt 2.11.0"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MCollective");
}

References