Skip to main content

Improper Certificate Validation

CVE-2020-7942

Severity Medium
Score 6.5/10

Summary

Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. Affected software versions: Puppet 5.5.x prior to 5.5.19, and 6.x prior to 6.13.0. Puppet Agent 5.5.x prior to 5.5.19, and 6.x prior to 6.13.0.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • LOW
  • HIGH
  • NONE

CWE-295 - Improper Certificate Validation

The authenticity component of a web system stems from the ability to validate “Digital certificates”, which (i) establish trust between two or more entities sharing data over a network; (ii) ensure data at rest and transit is secure from unauthorized access; and (iii) check the identity of the actors that interact with the system. An application with absent or ineffective certificate validation mechanisms allows malicious users, impersonating trusted hosts, to manipulate the communication path between the client and the host, resulting in unauthorized access to data and to the application’s internal environment, and potentially enabling man-in-the-middle attacks.

Advisory Timeline

  • Published