Three security smells: use MD5, binding to 0.0.0.0, and empty passwords

[akondasif]

Greetings,

I am a security researcher, who is looking for security smells in Puppet scripts. I noticed instances of MD5 uses in one of the Puppet scripts. MD5 is vulnerable to attacks, and should be avoided. The Common Weakness Enumeration organization recommends against usage of weak cryptographic algorithms such as MD5. Reff: https://cwe.mitre.org/data/definitions/327.html.

I suggest the use of SHA512 , which is more secure. Any feedback is appreciated.

Source: https://github.com/Vizir/carnival/blob/master/vagrant/modules/postgresql/manifests/role.pp

[akondasif]

I also noticed instances of binding to 0.0.0.0. Binding an address to 0.0.0.0 indicates allowing connections from all IP addresses. I would like to draw attention to these instances. Binding to 0.0.0.0 may lead to denial of service attacks. Practitioners have reported how binding to 0.0.0.0 facilitated security issues for MySQL (https://serversforhackers.com/c/mysql-network-security), Memcached (https://news.ycombinator.com/item?id=16493480), and Kibana (https://www.elastic.co/guide/en/kibana/5.0/breaking-changes-5.0.html).

I suggest to use a dedicated IP address other than 0.0.0.0.

Source: https://github.com/Vizir/carnival/blob/master/vagrant/modules/postgresql/manifests/params.pp

[akondasif]

Along with the two security smells I also noticed instances of empty passwords. Empty passwords increase the guessability of passwords. The Common Weakness Organization (CWE) identifies use of empty passwords as a security weakness (https://cwe.mitre.org/data/definitions/258.html).

I suggest that to follow the strong password guidelines, and manage passwords with hiera.

Source: https://github.com/Vizir/carnival/blob/master/vagrant/manifests/webdev.pp