Vulnerabilities > CVE-2017-2292 - Deserialization of Untrusted Data vulnerability in Puppet Mcollective

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
puppet
CWE-502
nessus

Summary

Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.

Vulnerable Configurations

Part Description Count
Application
Puppet
64

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyCGI abuses
    NASL idPUPPET_ENTERPRISE_2016_4_5.NASL
    descriptionAccording to its self-reported version number, the Puppet install on the remote host is affected by multiple vulnerabilities : - A remote command execution vulnerability exists in the MCollective plugin due to unsafe YAML deserialization. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. (CVE-2017-2292, CVE-2017-2295) - An arbitrary package install vulnerability exists in the MCollective plugin due to unsafe default configuration. An unauthenticated, remote attacker can exploit this to install or remove packages on all managed agents. (CVE-2017-2293) - An information disclosure vulnerability exists in the MCollective plugin due to unsafe storage of server private keys. An unauthenticated, remote attacker can exploit this to view sensitive private keys. (CVE-2017-2294) - An authentication bypass vulnerability exists in labled RBAC access tokens. An unauthenticated, attacker can exploit this, to bypass authentication and execute arbitrary actions of users configured to use labeled RBAC access tokens. This issue has been fixed in Puppet Enterprise 2016.4.5 and 2017.2.1. This only affects users with labeled tokens, which is not the default for tokens. (CVE-2017-2297)
    last seen2020-06-01
    modified2020-06-02
    plugin id129755
    published2019-10-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129755
    titlePuppet Enterprise < 2016.4.5 / 2016.5.x / 2017.1.x Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129755);
      script_version("1.2");
      script_cvs_date("Date: 2019/10/17 14:31:04");
    
      script_cve_id(
        "CVE-2017-2292",
        "CVE-2017-2293",
        "CVE-2017-2294",
        "CVE-2017-2295",
        "CVE-2017-2297"
      );
      script_bugtraq_id(98582);
    
      script_name(english:"Puppet Enterprise < 2016.4.5 / 2016.5.x / 2017.1.x Multiple Vulnerabilities");
      script_summary(english:"Checks the Puppet Enterprise version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A web application running on the remote host is affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the Puppet install on
    the remote host is affected by multiple vulnerabilities :
    
      - A remote command execution vulnerability exists in the MCollective plugin
        due to unsafe YAML deserialization. An unauthenticated, remote attacker 
        can exploit this to bypass authentication and execute arbitrary commands. 
        (CVE-2017-2292, CVE-2017-2295)
    
      - An arbitrary package install vulnerability exists in the MCollective plugin
        due to unsafe default configuration. An unauthenticated, remote attacker 
        can exploit this to install or remove packages on all managed agents.
        (CVE-2017-2293)
    
      - An information disclosure vulnerability exists in the MCollective plugin
        due to unsafe storage of server private keys. An unauthenticated, remote attacker 
        can exploit this to view sensitive private keys.
        (CVE-2017-2294)
      
      - An authentication bypass vulnerability exists in labled RBAC access tokens. 
        An unauthenticated, attacker can exploit this, to bypass authentication 
        and execute arbitrary actions of users configured to use labeled RBAC
        access tokens. This issue has been fixed in Puppet Enterprise 2016.4.5 
        and 2017.2.1. This only affects users with labeled tokens, which is 
        not the default for tokens. (CVE-2017-2297)");
      script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/CVE-2017-2292");
      script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/CVE-2017-2293");
      script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/CVE-2017-2294");
      script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/CVE-2017-2295");
      script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/CVE-2017-2297");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Puppet Enterprise version 2016.4.5 / 2017.2.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-2292");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/11");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/05/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/09");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:puppetlabs:puppet");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("puppet_enterprise_console_detect.nasl", "puppet_rest_detect.nasl");
      script_require_keys("puppet/rest_port", "installed_sw/puppet_enterprise_console");
    
      exit(0);
    }
    
    include('vcf.inc');
    include('http.inc');
    
    app = 'Puppet REST API'; # we get both enterprise and open-source versions from the api...
    
    # Make sure we detected a version 
    port = get_kb_item_or_exit('puppet/rest_port');
    ver = get_kb_item_or_exit('puppet/' + port + '/version');
    
    # Make sure the Console service is running
    get_kb_item_or_exit('installed_sw/puppet_enterprise_console');
    
    app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE, kb_ver: 'puppet/' + port + '/version');
    
    # version info obtained from https://puppet.com/docs/pe/2018.1/component_versions_in_recent_pe_releases.html
    constraints = [
      {"min_version" : "4.0.0", "fixed_version" : "4.10.1", "fixed_display" : "Puppet Enterprise (2016.4.5 / 2017.2.1)"}
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201709-01.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201709-01 (MCollective: Remote Code Execution) A vulnerability was discovered in MCollective which allowed for deserialized YAML from agents without calling safe_load. This allows the potential for arbitrary code execution on the server. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id102942
    published2017-09-05
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/102942
    titleGLSA-201709-01 : MCollective: Remote Code Execution
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201709-01.
    #
    # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102942);
      script_version("$Revision: 3.2 $");
      script_cvs_date("$Date: 2018/01/26 17:15:57 $");
    
      script_cve_id("CVE-2017-2292");
      script_xref(name:"GLSA", value:"201709-01");
    
      script_name(english:"GLSA-201709-01 : MCollective: Remote Code Execution");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201709-01
    (MCollective: Remote Code Execution)
    
        A vulnerability was discovered in MCollective which allowed for
          deserialized YAML from agents without calling safe_load. This allows the
          potential for arbitrary code execution on the server.
      
    Impact :
    
        A remote attacker could possibly execute arbitrary code with the
          privileges of the process or cause a Denial of Service condition.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201709-01"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All MCollective users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=app-admin/mcollective-2.11.0'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mcollective");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/09/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"app-admin/mcollective", unaffected:make_list("ge 2.11.0"), vulnerable:make_list("lt 2.11.0"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MCollective");
    }