Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 25 Nov 2016 09:17:48 -0500
From: <cve-assign@...re.org>
To: <jsegitz@...e.com>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: CVE Request: salt confidentiality issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> under certain
> circumstances Salt commands can reach, read data from and write data to,
> both minions ("original" and "impostor").

> ## 10. Here it is the bug: the minion1 is still accepted and responding.
> We could run any command for the minion2, but the minion1 will listen,
> execute and respond to them too, not only the accepted minion2.

> this is fixed by the 'rotate_aes_key' parameter
> that was introduced in 2015.8.11 to correct this issue

Use CVE-2016-9639 for the vulnerability fixed in 2015.8.11.

> the user would have to change that to be vulnerable

There is no CVE ID for the behavior (in current versions) of accepting
impostors in a "rotate_aes_key: False" configuration. The documentation
fully explains the impostor risk in that configuration.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYOEd1AAoJEHb/MwWLVhi2QdkP/3SEMFkzKwGZvwvUrqZ/wB6U
7xOuKbfKcTTHa4Fg4luHyQESeSXigrcHf4P8LqTEQIlxdGYcpIft7NRvDvKR77P/
UuWKIm5neHQjhKveYRm03QqZr43TXZW5K8V91kU7JM98Hak8gJZSgQezm0W8fzOv
Eog2xlV/Yw7vgTckUKw/0E/IugAeV6gJU4LP/cgI47vXxJHm5L4xSE2ueEMF6v2W
LH/hv+ywAemjhkg3Tu2DsZ0K+Wxe13tycSgVMVAO9GUA2HQVhShH8f9xhxMseg3m
BUUq+GpL1PLMLlhR5YoEH3mFvnBzL2BYMtBGrdwIxymgsC4OLieI1ETkHffOs+IJ
NMtC4YqHSZsE6zWP2sWpwnGD1bj6ErsrfrSOc+bsfpwhCwB0pSRaebXfjrqVwA55
fmlbCNDMAOgfYvcjDm2FWnDFVapKi5NHMuUuISHXjzQXeLtPoGuvdZQKSWcdkDVI
V/rBy0+0BtuA3aFMQTTtcevoFALyN+PIhwJwJ1xFdqJTtkY2S5TP8RAKEPfpTcU1
H+zQPWDT5CArOY+jFDgcpHKDhBi+gsJ9alJLDPA5taaCDcP/7hDQ4GSJlz5bLpzy
LZZIfhXKBdWl6r2Lk9Ct4L05agWIgPlMOPxe1RG4rv68uCdVJoKqtYu4yWp/wAlj
bJ+rXv6yW0GRshGrszMC
=vAVo
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.