ID CVE-2014-3248
Summary Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.
References
Vulnerable Configurations
  • Puppet Labs Facter 1.6.18
    cpe:2.3:a:puppetlabs:facter:1.6.18
  • Puppet Labs Facter 2.0.1
    cpe:2.3:a:puppetlabs:facter:2.0.1
  • Puppet Labs Marionette-collective 2.5.1
    cpe:2.3:a:puppetlabs:marionette-collective:2.5.1
  • Puppet Labs Hiera 1.3.3
    cpe:2.3:a:puppetlabs:hiera:1.3.3
  • Puppetlabs Puppet Enterprise 2.8.6
    cpe:2.3:a:puppetlabs:puppet:2.8.6:-:-:-:enterprise
  • Puppet Labs Puppet 2.7.26
    cpe:2.3:a:puppetlabs:puppet:2.7.26
  • Puppet Labs Puppet 3.6.1
    cpe:2.3:a:puppetlabs:puppet:3.6.1
CVSS
Base: 6.2 (as of 17-11-2014 - 13:42)
Impact:
Exploitability:
CWE CWE-17
CAPEC
Access
VectorComplexityAuthentication
LOCAL HIGH NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_PUPPET-140630.NASL
    description Puppet was updated to fix the following security issues : - Unsafe use of temporary files. (CVE-2013-4969) - Arbitrary code execution with required social engineering. (CVE-2014-3248 / CVE-2014-3250)
    last seen 2019-02-21
    modified 2014-11-18
    plugin id 76424
    published 2014-07-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76424
    title SuSE 11.3 Security Update : puppet (SAT Patch Number 9472)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-484.NASL
    description Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 81330
    published 2015-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81330
    title Amazon Linux AMI : puppet (ALAS-2015-484)
  • NASL family CGI abuses
    NASL id PUPPET_2_7_26.NASL
    description According to its self-reported version number, the Puppet install on the remote host is affected by multiple vulnerabilities : - A privilege escalation vulnerability related to input validation and paths exists in the bundled Ruby environment. An attacker could trick a privileged user into executing arbitrary code by convincing the user to change directories and then run Puppet. (CVE-2014-3248) - An error exists related to the console role that could allow unauthenticated users to obtain sensitive information by hiding and unhiding nodes. Note that this issue only affects Puppet Enterprise installs. (CVE-2014-3249) - An error exists related to configurations including Apache 2.4 and the mod_ssl 'SSLCARevocationCheck' that could allow an attacker to obtain sensitive information. Note that this issue does not affect Puppet Enterprise installs. (CVE-2014-3250)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 76344
    published 2014-07-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76344
    title Puppet < 2.7.26 / 3.6.2 and Enterprise 2.8.x < 2.8.7 Multiple Vulnerabilities
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_PUPPET_20141216.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/ operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine. (CVE-2014-3248)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 80745
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80745
    title Oracle Solaris Third-Party Patch Update : puppet (multiple_vulnerabilities_in_puppet1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-12699.NASL
    description Update to 1.7.6 for bz#1107891 and CVE-2014-3248 See http://puppetlabs.com/security/cve/CVE-2014-3248 for more information upstream. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 79389
    published 2014-11-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79389
    title Fedora 20 : facter-1.7.6-1.fc20 (2014-12699)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201412-15.NASL
    description The remote host is affected by the vulnerability described in GLSA-201412-15 (MCollective: Privilege escalation) Two vulnerabilities have been found in MCollective: An untrusted search path vulnerability exists in MCollective (CVE-2014-3248) MCollective does not properly validate server certificates (CVE-2014-3251) Impact : A local attacker can execute arbitrary a Trojan horse shared library, potentially resulting in arbitrary code execution and privilege escalation. Furthermore, a local attacker may be able to establish unauthorized MCollective connections. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2015-04-13
    plugin id 79968
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79968
    title GLSA-201412-15 : MCollective: Privilege escalation
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2014-456.NASL
    description Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 79840
    published 2014-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79840
    title Amazon Linux AMI : facter (ALAS-2014-456)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_FACTER_20141120.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/ operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine. (CVE-2014-3248)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 80604
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80604
    title Oracle Solaris Third-Party Patch Update : facter (cve_2014_3248_untrusted_search)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201412-45.NASL
    description The remote host is affected by the vulnerability described in GLSA-201412-45 (Facter: Privilege escalation) Facter includes the current working directory in the search path. Impact : A local attacker may be able to gain escalated privileges. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2015-04-13
    plugin id 80266
    published 2014-12-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80266
    title GLSA-201412-45 : Facter: Privilege escalation
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3308-1.NASL
    description Dennis Rowe discovered that Puppet incorrectly handled the search path. A local attacker could use this issue to possibly execute arbitrary code. (CVE-2014-3248) It was discovered that Puppet incorrectly handled YAML deserialization. A remote attacker could possibly use this issue to execute arbitrary code on the master. This update is incompatible with agents older than 3.2.2. (CVE-2017-2295). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 100632
    published 2017-06-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100632
    title Ubuntu 14.04 LTS : puppet vulnerabilities (USN-3308-1)
refmap via4
bid 68035
confirm http://puppetlabs.com/security/cve/cve-2014-3248
misc http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/
secunia
  • 59197
  • 59200
Last major update 17-11-2014 - 13:42
Published 16-11-2014 - 12:59
Back to Top