oss-sec mailing list archives
Re: CVE request for saltstack minion identity usurpation
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 15 Oct 2013 23:54:42 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/11/2013 04:26 PM, Michael Scherer wrote:
Hi, While looking for saltstack issues on github, i stumbled on this pull request : https://github.com/saltstack/salt/pull/7356 It seems that saltstack, a client/server configuration system ( like puppet, chef, cfengine ) allowed to have any minions ( agent on the server to be configured ) to masquerade itself as any others agents when requesting stuff from the master ( ie, main server ). While I didn't fully check, this would permit a compromised server to request data from another server, thus leading to potential informations leak ( like passwword, etc ). Can a CVE be assigned, and I will pass it to upstream on the bug report ?
See previous email, but once again for clarity/archives: CVE-2013-4439 saltstack minion identity usurpation - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSXiohAAoJEBYNRVNeJnmTL60QAJYD39/d43TyIvnGCilD4s25 7yPnApJRWn9sEypQI9NqyOlKt8aU7pgQe2rgNLN1x0LuUT7/b69YGJv24LlLJE7d W92OqYTjuUh6dssZg7DUnOpOx6eYwnFE8Zb3fxk9m6px2TgSZt4IihKyDbQYyzRv 5kQRWh8YBa7lSa+t4Rx7mpAzY82AmQS7/qSF/1dXmGhrgLvIn/qz9Xilo/fZR1x5 DXX/+om5jyErN/QtNrN7OqL8TOKfQw2IuCZp2sFApYcwexwcH8Gv70UBWwOUrJ6q zBNjmbu50prGaE5smiZgLdcwRrqaFRZnC9VT3fx7rC5nu1rOllsdOX/UtQSZ5zGS uAYzXvOTlt5eAQnkBuxjJE1y39S9/3SDWOBEh7gNTAjOLxf8PDFDfKb6EWgDq9Vf FGQn7lBFuJOlOlcyzv1RQmvoLPcrcnIOxlQhM/d9IeBSKH+Nj8eAQP+gvGedHWF/ EBoSWdVK16R6MoLSkw4lNFnSByYH6PMiR95u8HqCRMow6G5GekwHX3x/jpT9+2qi iMvIqV+ZeUQt+d0g+t4Ye+oc+noBJUdhGIofTC20XGHsnLPLiRzw9HecItbIiDT9 uGemFxKDuxdc4tZjVm2nz+PVYA7n/kFfBtOUzDtDbu9qFCXDDtuINddytaBSp0DB 3b2BGkVqCle/oZ19mqal =zUgC -----END PGP SIGNATURE-----
Current thread:
- CVE request for saltstack minion identity usurpation Michael Scherer (Oct 11)
- Re: CVE request for saltstack minion identity usurpation Kurt Seifried (Oct 15)
- Re: CVE request for saltstack minion identity usurpation Kurt Seifried (Oct 15)
- Re: CVE request for saltstack minion identity usurpation Kurt Seifried (Oct 18)
- Re: CVE request for saltstack minion identity usurpation Kurt Seifried (Oct 15)
- Re: CVE request for saltstack minion identity usurpation Kurt Seifried (Oct 15)
- Re: CVE request for saltstack minion identity usurpation Kurt Seifried (Oct 15)