Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 18 Oct 2013 13:59:37 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com, Michael Scherer <mscherer@...hat.com>,
        info@...tstack.com
Subject: Re: CVE request for saltstack minion identity usurpation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/16/2013 12:20 AM, Kurt Seifried wrote:
> On 10/15/2013 11:54 PM, Kurt Seifried wrote:
>> On 10/11/2013 04:26 PM, Michael Scherer wrote:
>>> Hi,
> 
>>> While looking for saltstack issues on github, i stumbled on
>>> this pull request :
>>> https://github.com/saltstack/salt/pull/7356
> 
>>> It seems that saltstack, a client/server configuration system (
>>>  like puppet, chef, cfengine ) allowed to have any minions ( 
>>> agent on the server to be configured ) to masquerade itself as 
>>> any others agents when requesting stuff from the master ( ie, 
>>> main server ). While I didn't fully check, this would permit a 
>>> compromised server to request data from another server, thus 
>>> leading to potential informations leak ( like passwword, etc
>>> ).
> 
>>> Can a CVE be assigned, and I will pass it to upstream on the
>>> bug report ?
> 
>> Ok mmcallis@ researched these and found:
> 
>> CVE-2013-4435 saltstack Insufficient argument validation in 
>> several modules
> 
>> CVE-2013-4436 saltstack MITM ssh attack on salt-ssh
> 
>> CVE-2013-4437 saltstack Insecure usage of a predictable
>> directory in /tmp and on minion (CVE MERGE of two tmp issues)
> 
>> CVE-2013-4438 saltstack pillar.ext or qemu_nbd.clear yaml string 
>> RCE
> 
> Argh. The above are currently embargoed, I misunderstood and
> thought they were public (along with the following one). My
> apologies, especially to upstream and users of saltstack. Adding
> saltstack info@ to the CC (can't find a security address).
> 
>> CVE-2013-4439 saltstack minion identity usurpation

These issues re now public:

http://docs.saltstack.com/topics/releases/0.17.1.html


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSYZMpAAoJEBYNRVNeJnmTXoMQANz9+Q6mpW6LhyN4l2a8HIg5
ILkk3EGr38/QcE+AFSjh13TF1KvWIcOE+XxevkExYzSrrPzJerY87uX89yTLXBUy
JsDjPbUvv9QjtS7Imf3SWtcnL9AZ7BrUHwXBc0dIqB2tUdlbU2d1LNqfCM77pRaO
8y9B8LM429dnauAh5am+3k7D0rOpXuIjEoZ73YDw+XktWQAgUDf85ImUtXiDZ4w1
WQocOmFdHAAIA8Ymo3xqSi61CAxmKqQvdaOZR/LN+v6LeZD+bDJnJyYb3pCt6QCK
05wlSPYmTPQSfuCO1o0lOK1Y2gHomfFFZXqrl4DejqC4krXN/z20QM7stPAfjXSH
pBlPZjj8+Ga2a2+p4Ju/4AdMANq5WT7JRORCf8HO3tEYB+F3SVDKdCA8pCEfXq6h
lCwcPpxAwWy+fFTxoE4fi2And8i82dHRyRAUmG9VNpuxQSvRjmWy52tRuEjPAXfg
KvvgGCtj/0BpGmXbgRZLp9xdy3YiP3Hzzjp7oxAdO145oOt/UleTPJ5eWUiMYOQ6
6cEwewBb1Jrr9/95NQRdmewXJ7ZIEGzjsRh3QAcScVTM8oqUfVYBvzkzL747324a
AH5yoB1IxNHbqoTwMYZC9HKHPKQ+HSfAovTnk+U6t4tWnh15DBthzx2g9lEZOH+R
BYYDlu7Bz/jUp0nSsXgR
=MkNI
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.