Login Sign Up

CVE-2021-27023

9.8 CRITICAL

📋 TL;DR

This vulnerability in Puppet Agent and Puppet Server allows HTTP credentials to be leaked when following redirects to different hosts. Attackers could intercept authentication tokens or credentials during HTTP communication. All systems running vulnerable versions of Puppet software are affected.

💻 Affected Systems

Products:
  • Puppet Agent
  • Puppet Server
Versions: Puppet Agent 6.0.0 through 6.23.0, 7.0.0 through 7.9.0; Puppet Server 6.0.0 through 6.13.1, 7.0.0 through 7.5.1
Operating Systems: All supported operating systems
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all configurations where Puppet communicates over HTTP with authentication.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Puppet Agent by Puppet

View all CVEs affecting Puppet Agent →

Puppet Agent by Puppet

View all CVEs affecting Puppet Agent →

Puppet Enterprise by Puppet

View all CVEs affecting Puppet Enterprise →

Puppet Enterprise by Puppet

View all CVEs affecting Puppet Enterprise →

Puppet Server by Puppet

View all CVEs affecting Puppet Server →

Puppet Server by Puppet

View all CVEs affecting Puppet Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to Puppet infrastructure, potentially compromising all managed nodes and enabling lateral movement across the network.

🟠

Likely Case

Credential theft leading to unauthorized access to Puppet-managed systems, configuration manipulation, or data exfiltration.

🟢

If Mitigated

Limited impact with proper network segmentation and credential rotation, though authentication tokens could still be exposed.

🌐 Internet-Facing: MEDIUM - Requires Puppet infrastructure to be internet-accessible or attackers to have network access to redirect traffic.
🏢 Internal Only: HIGH - Internal attackers or compromised systems could exploit this to escalate privileges across the Puppet-managed environment.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires ability to intercept or redirect HTTP traffic between Puppet components. Similar to CVE-2018-1000007.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Puppet Agent 6.23.1+, 7.9.1+; Puppet Server 6.13.2+, 7.5.2+

Vendor Advisory: https://puppet.com/security/cve/CVE-2021-27023

Restart Required: Yes

Instructions:

1. Update Puppet Agent to 6.23.1+ or 7.9.1+ 2. Update Puppet Server to 6.13.2+ or 7.5.2+ 3. Restart Puppet services 4. Verify all nodes are reporting correctly

🔧 Temporary Workarounds

Disable HTTP redirects

all

Configure Puppet to not follow HTTP redirects to different hosts

puppet config set follow_redirects false --section agent

Use HTTPS only

all

Enforce HTTPS communication between all Puppet components

puppet config set server puppetserver.example.com --section agent
puppet config set ca_server ca.example.com --section agent

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Puppet traffic
  • Rotate all Puppet-related credentials and certificates immediately

🔍 How to Verify

Check if Vulnerable:

Check Puppet version: puppet --version and compare against affected ranges

Check Version:

puppet --version

Verify Fix Applied:

Verify version is 6.23.1+ or 7.9.1+ for Agent, 6.13.2+ or 7.5.2+ for Server

📡 Detection & Monitoring

Log Indicators:

  • Unusual redirect patterns in Puppet Server logs
  • Authentication failures from unexpected sources

Network Indicators:

  • HTTP traffic to unexpected destinations from Puppet agents
  • Redirect chains involving multiple hosts

SIEM Query:

source="puppet" AND (http_redirect OR status=3*)

📊 Metadata

CVE ID: CVE-2021-27023
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: November 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON