Vulnerabilities > CVE-2018-6513 - Untrusted Search Path vulnerability in Puppet and Puppet Enterprise

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

puppet

CWE-426

nessus

NVD

Published: 2018-06-11

Updated: 2022-01-24

Summary

Puppet Enterprise 2016.4.x prior to 2016.4.12, Puppet Enterprise 2017.3.x prior to 2017.3.7, Puppet Enterprise 2018.1.x prior to 2018.1.1, Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, and Puppet Agent 5.5.x prior to 5.5.2, were vulnerable to an attack where an unprivileged user on Windows agents could write custom facts that can escalate privileges on the next puppet run. This was possible through the loading of shared libraries from untrusted paths.

Vulnerable Configurations

Part	Description	Count
Application	Puppet Puppet Puppet 5.5.0 Puppet Puppet 5.5.1 Puppet Puppet 1.10.0 Puppet Puppet 1.10.1 Puppet Puppet 1.10.2 Puppet Puppet 1.10.3 Puppet Puppet 1.10.4 Puppet Puppet 1.10.5 Puppet Puppet 1.10.6 Puppet Puppet 1.10.7 Puppet Puppet 1.10.8 Puppet Puppet 1.10.9 Puppet Puppet 1.10.10 Puppet Puppet 1.10.11 Puppet Puppet 1.10.12 Puppet Puppet 5.3.0 Puppet Puppet 5.3.1 Puppet Puppet 5.3.2 Puppet Puppet 5.3.3 Puppet Puppet 5.3.4 Puppet Puppet 5.3.5 Puppet Puppet 5.3.6 Puppet Puppet Enterprise 2018.1.0 Puppet Puppet Enterprise 2016.4.0 Puppet Puppet Enterprise 2016.4.2 Puppet Puppet Enterprise 2016.4.3 Puppet Puppet Enterprise 2016.4.5 Puppet Puppet Enterprise 2016.4.6 Puppet Puppet Enterprise 2016.4.7 Puppet Puppet Enterprise 2016.4.8 Puppet Puppet Enterprise 2016.4.9 Puppet Puppet Enterprise 2016.4.10 Puppet Puppet Enterprise 2016.4.11 Puppet Puppet Enterprise 2017.3.0 Puppet Puppet Enterprise 2017.3.1 Puppet Puppet Enterprise 2017.3.2 Puppet Puppet Enterprise 2017.3.4 Puppet Puppet Enterprise 2017.3.5 Puppet Puppet Enterprise 2017.3.6	39

Common Weakness Enumeration (CWE)

CWE-426 - Untrusted Search Path

Common Attack Pattern Enumeration and Classification (CAPEC)

Leveraging/Manipulating Configuration File Search Paths
This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.

Nessus

NASL family	CGI abuses
NASL id	PUPPET_ENTERPRISE_2017_3_6.NASL
description	According to its self-reported version number, the Puppet install running on the remote host is version 4.x prior to 2016.2.1, 5.3.x prior to 2017.3.7, or 5.5.x prior to 2018.1.1. It is, therefore, affected by a cross-site scripting (XSS) vulnerability due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, by sending a specially crafted query to either the puppet enterprise console or orchestrator, to execute arbitrary script code in a user
last seen	2020-06-01
modified	2020-06-02
plugin id	129759
published	2019-10-09
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129759
title	Puppet Enterprise 2017.x < 2017.3.6 Cross-site Scripting Vulnerability
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(129759); script_version("1.2"); script_cvs_date("Date: 2019/10/17 14:31:04"); script_cve_id("CVE-2018-6510", "CVE-2018-6511"); script_name(english:"Puppet Enterprise 2017.x < 2017.3.6 Cross-site Scripting Vulnerability"); script_summary(english:"Checks the Puppet Enterprise version."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host is affected by a code execution vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the Puppet install running on the remote host is version 4.x prior to 2016.2.1, 5.3.x prior to 2017.3.7, or 5.5.x prior to 2018.1.1. It is, therefore, affected by a cross-site scripting (XSS) vulnerability due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, by sending a specially crafted query to either the puppet enterprise console or orchestrator, to execute arbitrary script code in a user's browser session."); script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/CVE-2018-6513"); script_set_attribute(attribute:"solution", value: "Upgrade to Puppet Enterprise version 2017.3.6 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-6511"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/01"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:puppetlabs:puppet"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("puppet_enterprise_console_detect.nasl", "puppet_rest_detect.nasl"); script_require_keys("puppet/rest_port", "installed_sw/puppet_enterprise_console"); exit(0); } include('vcf.inc'); include('http.inc'); app = 'Puppet REST API'; # we get both enterprise and open-source versions from the api... # Make sure we detected a version port = get_kb_item_or_exit('puppet/rest_port'); ver = get_kb_item_or_exit('puppet/' + port + '/version'); # Make sure the Console service is running get_kb_item_or_exit('installed_sw/puppet_enterprise_console'); app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE, kb_ver: 'puppet/' + port + '/version'); # version info obtained from https://puppet.com/docs/pe/2018.1/component_versions_in_recent_pe_releases.html constraints = [ {"min_version" : "4.0.0", "fixed_version" : "4.10.12", "fixed_display" : "Puppet Enterprise (2016.4.5)"}, {"min_version" : "5.3.0", "fixed_version" : "5.3.7" , "fixed_display" : "Puppet Enterprise (2017.3.7)"}, {"min_version" : "5.5.0", "fixed_version" : "5.5.6" , "fixed_display" : "Puppet Enterprise (2018.1.1)" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE);

NASL family	CGI abuses
NASL id	PUPPET_ENTERPRISE_2017_3_7.NASL
description	A remote code execution vulnerability exists in Windows Agents due to a privilege escalation vulnerability associated with shared libraries from untrusted paths. An authenticated, unpriviledged local attacker can write custom facts which escalate privileges on the next puppet run. (CVE-2018-6513)
last seen	2020-06-01
modified	2020-06-02
plugin id	129760
published	2019-10-09
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129760
title	Puppet Enterprise 2016.x < 2016.4.12 / 2017.x < 2017.3.7 / 2018.x < 2018.1.1 Arbitrary Code Execution Vulnerability
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(129760); script_version("1.2"); script_cvs_date("Date: 2019/10/17 14:31:04"); script_cve_id("CVE-2018-6513"); script_name(english:"Puppet Enterprise 2016.x < 2016.4.12 / 2017.x < 2017.3.7 / 2018.x < 2018.1.1 Arbitrary Code Execution Vulnerability"); script_summary(english:"Checks the Puppet Enterprise version."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host is affected by a code execution vulnerability."); script_set_attribute(attribute:"description", value: "A remote code execution vulnerability exists in Windows Agents due to a privilege escalation vulnerability associated with shared libraries from untrusted paths. An authenticated, unpriviledged local attacker can write custom facts which escalate privileges on the next puppet run. (CVE-2018-6513)"); script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/CVE-2018-6513"); script_set_attribute(attribute:"solution", value: "Upgrade to Puppet Enterprise version 2016.4.12 / 2017.3.7 / 2018.1.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-6513"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/07"); script_set_attribute(attribute:"patch_publication_date", value:"2018/06/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:puppetlabs:puppet"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("puppet_enterprise_console_detect.nasl", "puppet_rest_detect.nasl"); script_require_keys("puppet/rest_port", "installed_sw/puppet_enterprise_console"); exit(0); } include('vcf.inc'); include('http.inc'); app = 'Puppet REST API'; # we get both enterprise and open-source versions from the api... # Make sure we detected a version port = get_kb_item_or_exit('puppet/rest_port'); ver = get_kb_item_or_exit('puppet/' + port + '/version'); # Make sure the Console service is running get_kb_item_or_exit('installed_sw/puppet_enterprise_console'); app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE, kb_ver: 'puppet/' + port + '/version'); # version info obtained from https://puppet.com/docs/pe/2018.1/component_versions_in_recent_pe_releases.html constraints = [ {"min_version" : "4.0.0", "fixed_version" : "4.10.12", "fixed_display" : "Puppet Enterprise (2016.4.5)"}, # 2016.4.5 {"min_version" : "5.3.0", "fixed_version" : "5.3.7" , "fixed_display" : "Puppet Enterprise (2017.3.7)"}, # 2017.3.7 {"min_version" : "5.5.0", "fixed_version" : "5.5.6" , "fixed_display" : "Puppet Enterprise (2018.1.1)" } # 2018.1.1 ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

References

https://puppet.com/security/cve/CVE-2018-6513