[PUP-8707] Default basemodulepath should exclude /opt on Windows - Puppet Tickets

Details

Type: Bug
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: PUP 4.10.12, PUP 5.3.7, PUP 5.5.2
Component/s: None
Labels:
- security

Template:
PUP Bug Template customfield_10700 249893
Epic Link:
2018 Security Fixes
Team:
Coremunity
CVE-ID:
CVE-2018-6513
Sprint:
Platform Core KANBAN
Method Found:
Needs Assessment

Release Notes:
Security Fix
Release Notes Summary:
Puppet on Windows no longer includes /opt/puppetlabs/puppet/modules in its default basemodulepath as unprivileged users could create a {{C:\opt}} directory and escalate privileges.

QA Risk Assessment:
Needs Assessment

Description

On Windows, basemodulepath defaults to C:/ProgramData/PuppetLabs/code/modules;C:/opt/puppetlabs/puppet/modules when running as a privileged user. An unprivileged user can drop a custom ruby fact into C:/opt/puppetlabs/puppet/modules/<module>/lib/facter/<fact>.rb and escalate privileges the next time the puppet service runs. This is possible because Windows allows all users to create directories in C:/

The basemodulepath should not include /opt on Windows.

Attachments

Issue Links

relates to

PUP-4049 System module path should be a thing on Windows

Closed

Activity

People

Assignee:

Unassigned

Reporter:

Josh Cooper

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

2018/05/09 11:10 AM

Updated:

2018/06/13 9:44 AM

Resolved:

2018/05/22 11:18 AM