Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 15 Oct 2013 23:54:03 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request for saltstack minion identity usurpation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/11/2013 04:26 PM, Michael Scherer wrote:
> Hi,
> 
> While looking for saltstack issues on github, i stumbled on this
> pull request : https://github.com/saltstack/salt/pull/7356
> 
> It seems that saltstack, a client/server configuration system (
> like puppet, chef, cfengine ) allowed to have any minions ( agent
> on the server to be configured ) to masquerade itself as any others
> agents when requesting stuff from the master ( ie, main server ). 
> While I didn't fully check, this would permit a compromised server
> to request data from another server, thus leading to potential
> informations leak ( like passwword, etc ).
> 
> Can a CVE be assigned, and I will pass it to upstream on the bug 
> report ?

Ok mmcallis@ researched these and found:

CVE-2013-4435 saltstack Insufficient argument validation in several
modules

CVE-2013-4436 saltstack MITM ssh attack on salt-ssh

CVE-2013-4437 saltstack Insecure usage of a predictable directory in
/tmp and on minion (CVE MERGE of two tmp issues)

CVE-2013-4438 saltstack pillar.ext or qemu_nbd.clear yaml string RCE

CVE-2013-4439 saltstack minion identity usurpation

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSXin7AAoJEBYNRVNeJnmTYV4QANwk6y4hTI8UFKEqqTZ+XFiS
EEhtUzbX/THCie8PBbpB037HmD3Z86kz84mfllwxFTykXLDAcPOcHYcnAsVlUs9s
o+Ry3tOVbmjeOjUAVlfwS1JQVUvLCQJPh/vp/239S6o4Z+Z8Hdvfi+yb47MCKr/n
npr2mh6eYP7tStkfu3DjrMZarn7nPZgEfEidMHJdRTu7ZsBaOpfoEABHlCFC2Squ
FmcptHW77a8t2jViVRQdO1evMzWL7eDZyp2gRSi8+iw2PuJkBviudjSM2nZHBnKC
bi1AaqSLmoUgVnRQlMZHSR8XNhzIvJLeV4lvD6DULFkm+/7I9q3xh9Bg4zsxz+4F
jazMrwdMm/ImKBV/s8KjUUSsBBe5hrX+lxjHgWSs9ZGhS86N/xNB+Him+lNT5B6f
1pMCdL5yG5tm5OqsW7IFXszYT4IqoROR8wv07prsurG9uZEv9TqVKGsByqF2gG4D
pL5G60dXn0q5lzAYOuaBOdhJIDqvkgaAJ5Ze/VvCWvySpdGw/amC7RlPKfotYOb/
fLOd3u2kSMnQx8OSr8IFGBQjU5US4kIs5eNsJbHrBML1AovdeVHkT5H3y8F4OLyI
ytj5/+FFh/Ai9tqi1+uR7enBBPQsJTUeao3lABc7wSyjYd/YHHMK2v9X5FeefW4Z
IRnhb2BLOTezJ74QqgqV
=XKMC
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ