CVSS2
Attack Vector
LOCAL
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:H/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
69.4%
According to its self-reported version number, the Puppet install on the remote host is affected by multiple vulnerabilities :
A privilege escalation vulnerability related to input validation and paths exists in the bundled Ruby environment. An attacker could trick a privileged user into executing arbitrary code by convincing the user to change directories and then run Puppet.
(CVE-2014-3248)
An error exists related to the console role that could allow unauthenticated users to obtain sensitive information by hiding and unhiding nodes. Note that this issue only affects Puppet Enterprise installs.
(CVE-2014-3249)
An error exists related to configurations including Apache 2.4 and the mod_ssl ‘SSLCARevocationCheck’ that could allow an attacker to obtain sensitive information. Note that this issue does not affect Puppet Enterprise installs. (CVE-2014-3250)
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(76344);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_cve_id("CVE-2014-3248", "CVE-2014-3249", "CVE-2014-3250");
script_bugtraq_id(68035, 68037);
script_name(english:"Puppet < 2.7.26 / 3.6.2 and Enterprise 2.8.x < 2.8.7 Multiple Vulnerabilities");
script_summary(english:"Checks puppet version.");
script_set_attribute(attribute:"synopsis", value:
"A web application on the remote host is affected by multiple
vulnerabilities.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Puppet install on
the remote host is affected by multiple vulnerabilities :
- A privilege escalation vulnerability related to input
validation and paths exists in the bundled Ruby
environment. An attacker could trick a privileged user
into executing arbitrary code by convincing the user to
change directories and then run Puppet.
(CVE-2014-3248)
- An error exists related to the console role that could
allow unauthenticated users to obtain sensitive
information by hiding and unhiding nodes. Note that
this issue only affects Puppet Enterprise installs.
(CVE-2014-3249)
- An error exists related to configurations including
Apache 2.4 and the mod_ssl 'SSLCARevocationCheck' that
could allow an attacker to obtain sensitive
information. Note that this issue does not affect
Puppet Enterprise installs. (CVE-2014-3250)");
script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/cve-2014-3248");
script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/cve-2014-3249");
script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/CVE-2014-3250");
script_set_attribute(attribute:"solution", value:
"Upgrade to Puppet 2.7.26 / 3.6.2 or Puppet Enterprise 2.8.7 or later.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-3248");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/06/10");
script_set_attribute(attribute:"patch_publication_date", value:"2014/06/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/07/02");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:puppetlabs:puppet");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("puppet_rest_detect.nasl");
script_require_keys("puppet/rest_port");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
##
# checks if the given version falls between the given bounds, and
# generates plugin output if it does
#
# @anonparam ver version to check
# @anonparam fix first fixed version
# @anonparam min_ver the lowest/earliest vulnerable version, relative to 'fix' (optional)
#
# @return plugin output if 'ver' is vulnerable relative to 'fix' and/or 'min_ver',
# NULL otherwise
##
function _check_version(enterprise)
{
local_var ver, fix, min_ver, major_ver, report;
ver = _FCT_ANON_ARGS[0];
fix = _FCT_ANON_ARGS[1];
min_ver = _FCT_ANON_ARGS[2];
if (
# no lower bound
(
isnull(min_ver) &&
ver_compare(ver:ver, fix:fix, strict:FALSE) < 0
) ||
# lower bound
(
!isnull(min_ver) &&
ver_compare(ver:ver, fix:fix, strict:FALSE) < 0 &&
ver_compare(ver:ver, fix:min_ver, strict:FALSE) >= 0
)
)
{
if (enterprise)
{
report =
'\n Installed version : Puppet Enterprise ' + ver +
'\n Fixed version : Puppet Enterprise ' + fix + '\n';
}
else
{
report =
'\n Installed version : Puppet Open Source ' + ver +
'\n Fixed version : Puppet Open Source ' + fix + '\n';
}
}
else report = FALSE;
return report;
}
port = get_kb_item_or_exit('puppet/rest_port');
ver = get_kb_item_or_exit('puppet/' + port + '/version');
report = FALSE;
if ('Enterprise' >< ver)
{
app_name = "Puppet Enterprise";
match = eregmatch(string:ver, pattern:"Enterprise ([0-9.]+)\)");
if (isnull(match)) audit(AUDIT_UNKNOWN_WEB_APP_VER, app_name, build_url(port:port));
ver = match[1];
# Resolved in Puppet Enterprise 2.8.7
report = _check_version(ver, '2.8.7', "2.8", enterprise:TRUE);
}
else
{
# Do not run against open source unless scan is paranoid
if (report_paranoia < 2) audit(AUDIT_PARANOID);
app_name = "Puppet";
# sanity check - make sure the version doesn't include letters or anything else unexpected
match = eregmatch(string:ver, pattern:"^([0-9.]+)$");
if (isnull(match)) audit(AUDIT_NONNUMERIC_VER, app_name, port, ver);
ver = match[1];
# Resolved in Puppet 2.7.26, 3.6.2
report = _check_version(ver, '2.7.26', '0.0');
if (!report)
report = _check_version(ver, '3.6.2', '3.0');
}
if (!report) audit(AUDIT_LISTEN_NOT_VULN, app_name, port, ver);
if (report_verbosity > 0) security_warning(port:port, extra:report);
else security_warning(port);
CVSS2
Attack Vector
LOCAL
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:H/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
69.4%