Plattform
ruby
Komponente
puppet
Behoben in
2.7.22
CVE-2013-3567 is a remote code execution (RCE) vulnerability affecting Puppet configuration management software. This flaw allows attackers to execute arbitrary code by crafting malicious REST API calls that exploit insecure deserialization of YAML data. The vulnerability impacts Puppet versions 2.7.x before 2.7.22, 3.2.x before 3.2.2, and Puppet Enterprise versions before 2.8.2. A fix is available in Puppet 2.7.22 and later.
The impact of CVE-2013-3567 is severe, as it enables remote code execution on systems running vulnerable Puppet agents or master servers. An attacker could leverage this vulnerability to gain complete control over the affected system, potentially leading to data breaches, system compromise, and lateral movement within the network. The vulnerability stems from Puppet's deserialization of untrusted YAML data received through the REST API. This allows an attacker to instantiate arbitrary Ruby classes, effectively executing arbitrary code. This vulnerability shares similarities with other deserialization vulnerabilities, highlighting the importance of carefully validating all external input.
CVE-2013-3567 was publicly disclosed in 2017. While no active exploitation campaigns have been definitively linked to this specific CVE, the potential for remote code execution makes it a high-priority vulnerability. Public proof-of-concept exploits are available, demonstrating the feasibility of exploitation. It was added to the CISA KEV catalog, indicating a heightened risk of exploitation. The vulnerability's age and the availability of exploits suggest that it remains a potential target for attackers.
Organizations heavily reliant on Puppet for configuration management are at significant risk. This includes environments with complex infrastructure, sensitive data, and a large number of managed nodes. Legacy Puppet deployments, particularly those running older versions due to compatibility constraints, are especially vulnerable. Shared hosting environments where multiple users share a Puppet master instance are also at increased risk.
• ruby / server:
ps aux | grep puppetCheck the Puppet version running using puppet --version. If it's below 2.7.22, the system is vulnerable.
• ruby / supply-chain:
Review Puppet modules and code for any custom deserialization routines that might be vulnerable to similar attacks.
• generic web:
Monitor Puppet master server logs for unusual REST API requests or errors related to YAML parsing.
discovery
disclosure
patch
Exploit-Status
EPSS
6.46% (91% Perzentil)
The primary mitigation for CVE-2013-3567 is to upgrade to Puppet version 2.7.22 or later. If upgrading immediately is not feasible, consider restricting access to the Puppet REST API to trusted sources only. Implement strict input validation on all data received through the API, specifically scrutinizing YAML payloads. While not a direct fix, employing a Web Application Firewall (WAF) with rules to detect and block malicious YAML deserialization attempts can provide an additional layer of defense. After upgrading, verify the fix by attempting to trigger the vulnerability with a known malicious YAML payload and confirming that it is rejected.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2013-3567 is a remote code execution vulnerability in Puppet versions ≤2.7.9 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2. It allows attackers to execute arbitrary code via crafted REST API calls.
You are affected if you are running Puppet versions 2.7.x before 2.7.22, 3.2.x before 3.2.2, or Puppet Enterprise before 2.8.2.
Upgrade Puppet to version 2.7.22 or later. Restrict access to the Puppet REST API and validate all input data.
While no confirmed active campaigns are publicly known, the vulnerability's nature and the availability of PoCs suggest it remains a potential risk.
Refer to the Puppet security advisory: https://puppet.com/security/advisories/puppet-security-advisory-2017-0007
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Gemfile.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.