A vulnerability was found in puppetlabs-apache up to 1.11.0/2.0.x (Service Management Software). It has been rated as critical. This issue affects an unknown part. The manipulation of the argument ssl_certs_dir with an unknown input leads to a 7pk security vulnerability. Using CWE to declare the problem leads to CWE-254. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

Versions of the puppetlabs-apache module prior to 1.11.1 and 2.1.0 make it very easy to accidentally misconfigure TLS trust. If you specify the `ssl_ca` parameter but do not specify the `ssl_certs_dir` parameter, a default will be provided for the `ssl_certs_dir` that will trust certificates from any of the system-trusted certificate authorities. This did not affect FreeBSD.

The bug was discovered 09/13/2017. The weakness was shared 09/15/2017 (Website). It is possible to read the advisory at puppet.com. The identification of this vulnerability is CVE-2017-2299 since 12/01/2016. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1211 according to MITRE ATT&CK.

The vulnerability was handled as a non-public zero-day exploit for at least 2 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 1.11.1 or 2.1.0 eliminates this vulnerability.

Not Affected

• FreeBSD

Productinfo

Type

• Service Management Software

Name

• puppetlabs-apache

Version

• 1.0
• 1.1
• 1.2
• 1.3
• 1.4
• 1.5
• 1.6
• 1.7
• 1.8
• 1.9
• 1.10
• 1.11
• 2.0

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion