ID CVE-2014-3251
Summary The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition.
Vulnerable Configurations
  • cpe:2.3:a:puppetlabs:mcollective
  • Puppetlabs Puppet Enterprise 3.2.0
Base: 4.4 (as of 13-08-2014 - 23:19)
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
nessus via4
  • NASL family CGI abuses
    description According to its self-reported version number, the Puppet Enterprise application installed on the remote host is version 2.8.x or 3.2.x. It is, therefore, affected by multiple vulnerabilities : - An error exists in the 'do_ssl3_write' function that permits a NULL pointer to be dereferenced, which could allow denial of service attacks. Note that this issue is exploitable only if SSL_MODE_RELEASE_BUFFERS is enabled. (CVE-2014-0198) - An error exists in the processing of ChangeCipherSpec messages that allows the usage of weak keying material. This permits simplified man-in-the-middle attacks to be done. (CVE-2014-0224) - The MCollective 'aes_security' plugin does not properly validate new server certificates. This allows a local attacker to spoof a valid MCollective connection. Note that this plugin is not enabled by default. (CVE-2014-3251)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 77281
    published 2014-08-20
    reporter Tenable
    title Puppet Enterprise 2.8.x / 3.2.x Multiple Vulnerabilities
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201412-15.NASL
    description The remote host is affected by the vulnerability described in GLSA-201412-15 (MCollective: Privilege escalation) Two vulnerabilities have been found in MCollective: An untrusted search path vulnerability exists in MCollective (CVE-2014-3248) MCollective does not properly validate server certificates (CVE-2014-3251) Impact : A local attacker can execute arbitrary a Trojan horse shared library, potentially resulting in arbitrary code execution and privilege escalation. Furthermore, a local attacker may be able to establish unauthorized MCollective connections. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2015-04-13
    plugin id 79968
    published 2014-12-15
    reporter Tenable
    title GLSA-201412-15 : MCollective: Privilege escalation
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_ECEA9E920BE5493188DA8772D044972A.NASL
    description Melissa Stone reports : The MCollective aes_security public key plugin does not correctly validate certs against the CA. By exploiting this vulnerability within a race/initialization window, an attacker with local access could initiate an unauthorized MCollective client connection with a server, and thus control the mcollective plugins running on that server. This vulnerability requires a collective be configured to use the aes_security plugin. Puppet Enterprise and open source MCollective are not configured to use the plugin and are not vulnerable by default.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 76630
    published 2014-07-22
    reporter Tenable
    title FreeBSD : mcollective -- cert valication issue (ecea9e92-0be5-4931-88da-8772d044972a)
refmap via4
osvdb 109257
  • 59356
  • 60066
Last major update 13-08-2014 - 23:19
Published 12-08-2014 - 19:55
Last modified 14-11-2017 - 21:29
Back to Top