Security For Everyone

Puppet Server Naive Signing Scanner

You can scan Puppet server to see whether naive signing is enabled by using this tool.

Short Info

Level

Low

Single Scan

Can be used by

Asset Owner

Estimated Time

15 seconds

Time Interval

2 months 2 days

Scan only one

Domain, IPv4, Subdomain

Toolbox

-

Detects if naive signing is enabled on a Puppet server. This enables attackers to create any Certificate Signing Request and have it signed, allowing them to impersonate as a puppet agent. This can leak the configuration of the agents as well as any other sensitive information found in the configuration files.

This script makes use of the Puppet HTTP API interface to sign the request.

This script has been Tested on versions 3.8.5, 4.10.

References:

https://docs.puppet.com/puppet/4.10/ssl_autosign.html#security-implications-of-nave-autosigning

Get started to protecting your Free Full Security Scan

Start trial See the plans