SaltStack Updates May 2020

SaltStack Salt is a very popular open-source remote task and configuration management framework widely used in data centers and cloud environments. Two critical security flaws have been discovered in Salt that can allow an attacker to execute arbitrary commands as root. These vulnerabilities are identified as CVE-2020-11651 and CVE-2020-11652, and are of two different classes – Authentication Bypass and Directory Traversal. This pair of flaws reside within the Salt’s ZeroMQ protocol. Malicious campaigns have already started exploiting these flaws to breach servers of various organizations like LineageOS, Ghost, and Digicert.


Vulnerability Details

SaltStack Salt is used to monitor and update the state of the servers. It employs a master-slave architecture that is used to push out configuration and software updates from a central repository. For this, each server runs an agent called ‘minion‘ which connects to a ‘master‘ node. A master node is responsible for collecting state reports from minions and publish messages like configurations, that minions can act on. The communication between a master and minion occurs using the ZeroMQ protocol. Moreover, the master uses two instances of ZeroMQ, one called the ‘request server’ to which minions connect to report their status (or the output of commands) and the other called the ‘publish server’ where the master publishes messages that the minions can connect and subscribe to.

The vulnerabilities exist in the way ‘request server’ handles incoming messages allowing to bypass authentication and authorization controls. The attacker can then publish arbitrary control messages, read and write files anywhere on the ‘master’ server file system and steal the secret key used to authenticate to the master as root. In other words, an attacker can exploit the flaws to execute administrative commands on the master server and also allow salt minions to run malicious commands as well. This will result in a complete takeover of both the master and all minions that connect to it.

    • Authentication Bypass (CVE-2020-11651)
      Salt’s master script uses a class ‘ClearFuncs‘ which accepted all commands without authentication. This class in salt-master processes all unauthenticated requests and thus the methods present like ‘_send_pub‘ and ‘_prep_auth_info‘ can be used to run arbitrary commands on the minions as well as the master. The ‘_send_pub’ method can be used to queue messages directly on the master publish server which will then trigger minions to run arbitrary commands as root. On the other hand, ‘_prep_auth_info‘ method once invoked will return the ‘root key’ used to authenticate commands from the local root user on the master server. This ‘root key’ can then be used to remotely call administrative commands on the master server.
    • Directory Traversal (CVE-2020-11652)
      The ‘wheel‘ module present in salt contains commands which are used to read and write files under specific directory paths. There is an error during concatenation of input with the target directory as the resulting path is not canonicalized. This can lead to an escape of the intended path restriction. The ‘salt.tokens.localfs‘ class via method ‘get_token‘ fails to sanitize the token input parameter which can be used as a filename, allowing insertion of “..” path elements and thus reading of files outside of the intended directory.

 


Impact

The exploitation of these vulnerabilities could allow attackers to execute arbitrary commands on the target systems.


Affected Products

SaltStack Salt before 2019.2.4 and 3000 before 3000.2


Solution

SaltStack has released security fixes for these vulnerabilities.

  • SaltStack Salt 2019.2.4 or 3000.2 or higher

SanerNow detects these vulnerabilities. We strongly recommend installing these security updates without any delay.


Summary
SaltStack Salt Critical Vulnerabilities Under Active Exploitation
Article Name
SaltStack Salt Critical Vulnerabilities Under Active Exploitation
Author
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *