Uploaded image for project: 'Puppet Agent'
  1. Puppet Agent
  2. PA-2019

Privilege escalation via %ProgramData%\PuppetLabs on Windows

    XMLWordPrintable

Details

    • Coremunity
    • CVE-2018-6513
    • Platform Core KANBAN
    • Needs Assessment
    • 32744
    • 1
    • Security Fix
    • Restrict permissions to some directories within C:\ProgramData\PuppetLabs so that only LocalSystem and members of the local Administrators group have access.
    • Needs Assessment

    Description

      Unprivileged users can write custom ruby facts to %ProgramData%\PuppetLabs\code\modules\<module>\lib\facter\<fact>.rb and escalate privileges the next time the puppet service runs.

      At a minimum %ProgramData%\PuppetLabs should not be writable by unprivileged users, similar to what we do for facts.d.

      It should probably not be readable or traversable as the directory contains puppet, pxp-agent and mcollective configuration and logs.

      When running as an unprivileged user, facter, puppet, etc should always use the per-user directory ~/.puppetlabs.

      Attachments

        Issue Links

          Activity

            People

              josh Josh Cooper
              josh Josh Cooper
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support