Puppet Enterprise Console Authentication Bypass (intrusive check)

high Nessus Plugin ID 66235

Synopsis

A web application hosted on the remote host has an authentication bypass vulnerability.

Description

The version of Puppet Enterprise Console running on the remote host has an authentication bypass vulnerability. The secret value used to prevent cookie tampering is not random. This allows a remote, unauthenticated attacker to create a cookie that would be inappropriately authorized by the console, which could result in arbitrary code execution.

This only affects Puppet Enterprise versions 2.5.0 through 2.7.2 that have been upgraded from versions 1.2.x or 2.0.x and have the console role enabled.

Solution

Upgrade to Puppet Enterprise 2.8.0, or use the workaround listed in the advisory for CVE-2013-2716.

See Also

http://charlie.bz/blog/rails-3.2.10-remote-code-execution

https://puppet.com/security/cve/cve-2013-2716

Plugin Details

Severity: High

ID: 66235

File Name: puppet_enterprise_console_rce.nasl

Version: 1.8

Type: remote

Family: CGI abuses

Published: 4/26/2013

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2013-2716

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:puppetlabs:puppet

Required KB Items: www/puppet_enterprise_console

Exploit Ease: No exploit is required

Patch Publication Date: 3/28/2013

Vulnerability Publication Date: 3/28/2013

Reference Information

CVE: CVE-2013-2716

BID: 58811