CVE-2011-3872

Puppet 2.6.x < 2.6.12 and 2.7.x < 2.7.6 - Certificate Spoofing via X.509 Subject Alternative Name Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2011-3872. PoCs published by puppetlabs-toy-chest.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2011-3872, which involves Puppet's certificate validation bypass. The code includes custom Facter facts and Puppet functions to manipulate certificate settings and migration states.

Description

Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."

Exploits (1)

nomisec WORKING POC 5 stars

by puppetlabs-toy-chest · poc

https://github.com/puppetlabs-toy-chest/puppetlabs-cve20113872

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2011-3872, which involves Puppet's certificate validation bypass. The code includes custom Facter facts and Puppet functions to manipulate certificate settings and migration states.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Puppet (versions affected by CVE-2011-3872)

No auth needed

Prerequisites: Access to a Puppet agent or server environment · Ability to modify or influence certificate-related configurations

MITRE ATT&CK