On 10/25/2011 11:16 AM, Daniel Pittman wrote: > On Tue, Oct 25, 2011 at 07:07, Doug Warner <[email protected]> wrote: >> On 10/24/2011 04:02 PM, Michael Stahnke wrote: >>> We have discovered a security vulnerability (“AltNames Vulnerability”) >>> whereby a malicious attacker can impersonate the Puppet master using >>> credentials from a Puppet agent node. This vulnerability cannot cross >>> Puppet deployments, but it can allow an attacker with elevated >>> privileges on one Puppet-managed node to gain control of any other >>> Puppet-managed node within the same infrastructure. >>> >>> All Puppet Enterprise deployments are vulnerable, and Puppet open >>> source deployments may be, depending upon their site configuration. >> >> As far as my understanding goes, I *should* be affected by this CVE, but >> don't >> appear to be. I'm: >> >> * running puppet 0.25.5 (nginx/mongrel) >> * I use certdnsnames to specify alternative names in my [puppetmaster] >> section >> of my puppet.conf >> * all my nodes connect to one of the alternative names in their [puppet] >> section's "server" line >> >> I only write the [puppetmaster] section in the puppet.conf file on my puppet >> master server; are the subjectAltNames only added to the certificate request >> if the config is present on the client nodes? > > Before the patch the subjectAltName field was never added to the > certificate *request*; we added it on the master, based on the > `certdnsnames` setting in the configuration file there. After the > change the names will be added to the CSR. > > So, you need to check the actual signed certificates to find out if > you are vulnerable or not. > > Daniel
I did; the signed certificates in the cached directory on the puppet master don't appear to have the subjectAltName set (bin/webrick/scan_certs didn't find any), and checking a couple certs on the actual nodes w/ openssl didn't discover the signed ones having the value either. Am I checking the wrong things? -Doug
signature.asc
Description: OpenPGP digital signature
