Uploaded image for project: 'Puppet Agent'
  1. Puppet Agent
  2. PA-2019

Privilege escalation via %ProgramData%\PuppetLabs on Windows

    Details

    • Template:
    • Team:
      Coremunity
    • CVE-ID:
      CVE-2018-6513
    • Sprint:
      Platform Core KANBAN
    • Method Found:
      Needs Assessment
    • Release Notes:
      Security Fix
    • Release Notes Summary:
      Restrict permissions to some directories within C:\ProgramData\PuppetLabs so that only LocalSystem and members of the local Administrators group have access.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Unprivileged users can write custom ruby facts to %ProgramData%\PuppetLabs\code\modules\<module>\lib\facter\<fact>.rb and escalate privileges the next time the puppet service runs.

      At a minimum %ProgramData%\PuppetLabs should not be writable by unprivileged users, similar to what we do for facts.d.

      It should probably not be readable or traversable as the directory contains puppet, pxp-agent and mcollective configuration and logs.

      When running as an unprivileged user, facter, puppet, etc should always use the per-user directory ~/.puppetlabs.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  josh Josh Cooper
                  Reporter:
                  josh Josh Cooper
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: