CVE CyberSecurity Database News

CVE-2023-5255 - How Puppet Server’s Auto-Renewable Certificates Can’t Be Revoked — What You Need to Know

Poster -

On January 9, 2024, the CVE-2023-5255 vulnerability was published, affecting Puppet Server’s handling of auto-renewed certificates. For anyone managing infrastructure with Puppet, this issue is serious: when you set up certificates to auto-renew, you expect you can later revoke them if needed (for example, when a server is decommissioned or compromised). Thanks to this flaw, however, revoking those auto-renewed certificates simply doesn’t work.

Let’s break down what’s wrong, how it happens, what it means for your security, and how to work around it—complete with code snippets and references.

What Is CVE-2023-5255?

CVE-2023-5255 is a vulnerability in Puppet Server, the popular configuration management tool. Normally, when you issue certificates to nodes (servers, agents, etc.), you may set them to be automatically renewed, so you don’t have to manually re-issue them every year.

But in certain Puppet Server versions, if you try to revoke a certificate that was auto-renewed, the revocation silently fails. Instead of ending access for that certificate, it stays valid—defeating the purpose of the revocation.

When you rotate credentials

If you can’t revoke a cert, an attacker could continue using it—potentially forever.

How Does This Happen?

When Puppet Server renews a certificate automatically, it doesn’t update internal tracking data structures that manage which certificates are currently valid. When you later try to revoke that certificate, Puppet looks up revocation data based on the old mapping, not the renewed cert. As a result, the server doesn’t realize the new cert should be revoked.

If you look at Puppet’s code, the problem is in how renewed certificates (with a new expiration date but the same CN) are handled by the Certificate Authority subsystem. When the user tries to revoke a cert, Puppet doesn’t match the renewed cert to the revocation request.

Code Example: Simulating the Issue

Suppose your node has an auto-renewed certificate. You attempt to revoke it with Puppet’s CLI or HTTP API, like so:

# Step 1: Auto-renew the certificate (either via scheduled auto-renew or forcing renewal)
puppetserver ca renew --certname agent01.example.com

# Step 2: Try to revoke the same certificate
puppetserver ca revoke --certname agent01.example.com

You’d expect the certificate to be revoked—but it’s not. If you check the status

puppetserver ca list --all

It still shows as “Signed”. The certificate continues to authenticate the node!

Exploit Scenario

Suppose a malicious actor compromises node agent01.example.com—maybe by stealing its private key. An admin tries to revoke its access:

puppetserver ca revoke --certname agent01.example.com

It silently fails. The compromised certificate is never placed on the Certificate Revocation List (CRL). The attacker continues to authenticate as that node—bypassing attempts at removal.

Is There a Patch?

Yes. The Puppet team has fixed this in later releases (see references below).

Upgrade Puppet Server to the latest version. Always review official release notes:  
🔗 Puppet CVE-2023-5255 Security Advisory

If you cannot upgrade immediately, a manual workaround

1. Manually Remove/Reissue Node Certificates

Clean the Inventory

Remove the cert from both _signed_ and _CRL_ lists using Puppet tools. Then reissue fresh certs as needed.

Manual Removal Example

# Remove the problematic cert
puppetserver ca cleanup --certname agent01.example.com

# Optionally, restart Puppet Server to ensure fresh state
sudo systemctl restart puppetserver

Note: These steps will cause the node to re-request a certificate the next time it connects, or be denied.

Official CVE Entry:

CVE-2023-5255 Mitre

Puppet Advisory & Patch:

Puppet Security Bulletin for CVE-2023-5255

Background on Puppet CA:

Puppet Documentation - Certificate Authority

Conclusion

CVE-2023-5255 reminds us that automation is awesome—but so is keeping an eye on the basics. When auto-renew fails to play nicely with revocation, it exposes infrastructure to attack. Always make sure your Puppet Server is up to date, and review your certificate management workflow to prevent silent failures like this one.

If you’re managing nodes at scale, take a moment today to verify your certs, review revocation, and ensure you've patched this flaw. Your security depends on it.

Timeline

Published on: 10/03/2023 18:15:00 UTC
Last modified on: 10/05/2023 16:48:00 UTC