CVE-2020-7942

puppet: Arbitrary catalog retrieval

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 Puppet 5.5.x prior to 5.5.19 Puppet Agent 5.5.x prior to 5.5.19 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 Puppet 5.5.19 Puppet Agent 5.5.19

Anteriormente, Puppet operaba en un modelo en el que un nodo con un certificado válido tenía derecho a toda la información del sistema y que un certificado comprometido permitía el acceso a todo en la infraestructura. Cuando el catálogo de un nodo retrocede al nodo "default", el catálogo puede ser recuperado para un nodo diferente mediante la modificación de datos para una ejecución de Puppet. Este problema puede ser mitigado al configurar "strictly_hostname_checking = true" en "puppet.conf" en su maestro de Puppet. Puppet versión 6.13.0 y versión 5.5.19 cambia el comportamiento predeterminado para el strict_hostname_checking de falso a verdadero. Se recomienda que los usuarios de Puppet Open Source y Puppet Enterprise que no están actualizando establezcan stric_nombre_host_checking en verdadero para garantizar un comportamiento seguro. Versiones de software afectadas: Puppet versión 6.x en versiones anteriores a la 6.13.0 Puppet Agent versión 6.x en versiones anteriores a la 6.13.0 Puppet versión 5.5.x en versiones anteriores a la 5.5.19 Puppet Agent versión 5.5.x en versiones anteriores a la 5.5.19 Resuelto en: Puppet versión 6.13.0 Puppet Agente versión 6.13.0 Puppet versión 5.5.19 Puppet Agent versión 5.5.19.

A flaw was found in Puppet, where changes in the application lead to node declarations having increased access. An attacker can use this flaw to modify run facts and to retrieve different nodes of information when the `strict_hostname_checking` is false, and the node's catalog falls back to the `default` node.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-01-23 CVE Reserved
2020-02-19 CVE Published
2023-03-08 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-295: Improper Certificate Validation
CWE-297: Improper Validation of Certificate with Host Mismatch

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://puppet.com/security/cve/CVE-2020-7942	2021-12-30
https://access.redhat.com/security/cve/CVE-2020-7942	2020-10-27
https://bugzilla.redhat.com/show_bug.cgi?id=1816720	2020-10-27

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Puppet Search vendor "Puppet"		Puppet Search vendor "Puppet" for product "Puppet"				>= 5.5.0 < 5.5.19 Search vendor "Puppet" for product "Puppet" and version " >= 5.5.0 < 5.5.19"		-		Affected
Puppet Search vendor "Puppet"		Puppet Search vendor "Puppet" for product "Puppet"				>= 6.0.0 < 6.13.0 Search vendor "Puppet" for product "Puppet" and version " >= 6.0.0 < 6.13.0"		-		Affected
Puppet Search vendor "Puppet"		Puppet Agent Search vendor "Puppet" for product "Puppet Agent"				>= 5.5.0 < 5.5.19 Search vendor "Puppet" for product "Puppet Agent" and version " >= 5.5.0 < 5.5.19"		-		Affected
Puppet Search vendor "Puppet"		Puppet Agent Search vendor "Puppet" for product "Puppet Agent"				>= 6.0.0 < 6.13.0 Search vendor "Puppet" for product "Puppet Agent" and version " >= 6.0.0 < 6.13.0"		-		Affected