Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 18 Oct 2013 13:59:37 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com, Michael Scherer <mscherer@...hat.com>,
        info@...tstack.com
Subject: Re: CVE request for saltstack minion identity usurpation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/16/2013 12:20 AM, Kurt Seifried wrote:
> On 10/15/2013 11:54 PM, Kurt Seifried wrote:
>> On 10/11/2013 04:26 PM, Michael Scherer wrote:
>>> Hi,
> 
>>> While looking for saltstack issues on github, i stumbled on
>>> this pull request :
>>> https://github.com/saltstack/salt/pull/7356
> 
>>> It seems that saltstack, a client/server configuration system (
>>>  like puppet, chef, cfengine ) allowed to have any minions ( 
>>> agent on the server to be configured ) to masquerade itself as 
>>> any others agents when requesting stuff from the master ( ie, 
>>> main server ). While I didn't fully check, this would permit a 
>>> compromised server to request data from another server, thus 
>>> leading to potential informations leak ( like passwword, etc
>>> ).
> 
>>> Can a CVE be assigned, and I will pass it to upstream on the
>>> bug report ?
> 
>> Ok mmcallis@ researched these and found:
> 
>> CVE-2013-4435 saltstack Insufficient argument validation in 
>> several modules
> 
>> CVE-2013-4436 saltstack MITM ssh attack on salt-ssh
> 
>> CVE-2013-4437 saltstack Insecure usage of a predictable
>> directory in /tmp and on minion (CVE MERGE of two tmp issues)
> 
>> CVE-2013-4438 saltstack pillar.ext or qemu_nbd.clear yaml string 
>> RCE
> 
> Argh. The above are currently embargoed, I misunderstood and
> thought they were public (along with the following one). My
> apologies, especially to upstream and users of saltstack. Adding
> saltstack info@ to the CC (can't find a security address).
> 
>> CVE-2013-4439 saltstack minion identity usurpation

These issues re now public:

http://docs.saltstack.com/topics/releases/0.17.1.html


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSYZMpAAoJEBYNRVNeJnmTXoMQANz9+Q6mpW6LhyN4l2a8HIg5
ILkk3EGr38/QcE+AFSjh13TF1KvWIcOE+XxevkExYzSrrPzJerY87uX89yTLXBUy
JsDjPbUvv9QjtS7Imf3SWtcnL9AZ7BrUHwXBc0dIqB2tUdlbU2d1LNqfCM77pRaO
8y9B8LM429dnauAh5am+3k7D0rOpXuIjEoZ73YDw+XktWQAgUDf85ImUtXiDZ4w1
WQocOmFdHAAIA8Ymo3xqSi61CAxmKqQvdaOZR/LN+v6LeZD+bDJnJyYb3pCt6QCK
05wlSPYmTPQSfuCO1o0lOK1Y2gHomfFFZXqrl4DejqC4krXN/z20QM7stPAfjXSH
pBlPZjj8+Ga2a2+p4Ju/4AdMANq5WT7JRORCf8HO3tEYB+F3SVDKdCA8pCEfXq6h
lCwcPpxAwWy+fFTxoE4fi2And8i82dHRyRAUmG9VNpuxQSvRjmWy52tRuEjPAXfg
KvvgGCtj/0BpGmXbgRZLp9xdy3YiP3Hzzjp7oxAdO145oOt/UleTPJ5eWUiMYOQ6
6cEwewBb1Jrr9/95NQRdmewXJ7ZIEGzjsRh3QAcScVTM8oqUfVYBvzkzL747324a
AH5yoB1IxNHbqoTwMYZC9HKHPKQ+HSfAovTnk+U6t4tWnh15DBthzx2g9lEZOH+R
BYYDlu7Bz/jUp0nSsXgR
=MkNI
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ