SaltStack Salt is a very popular open-source remote task and configuration management framework widely used in data centers and cloud environments. Two critical security flaws have been discovered by a vulnerability management tool. In Salt that can allow an attacker to execute arbitrary commands as root. These saltstack salt vulnerabilities are identified as CVE-2020-11651 and CVE-2020-11652, and are of two different classes – Authentication Bypass and Directory Traversal. This pair of saltstack salt vulnerabilities reside within the Salt’s ZeroMQ protocol. Malicious campaigns have already started exploiting these flaws to breach servers of various organizations like LineageOS, Ghost, and Digicert.
Saltstack Salt Vulnerabilities Details
SaltStack Salt is to monitor and update the state of the servers. It employs a master-slave architecture that uses to push out configuration and software updates from a central repository. For this, each server runs an agent called ‘minion‘ which connects to a ‘master‘ node. A master node is responsible for collecting state reports from minions and publishing messages like configurations, that minions can act on. The communication between a master and minion occurs using the ZeroMQ protocol. Moreover, the master uses two instances of ZeroMQ, one called the ‘request server’ to which minions connect to report their status (or the output of commands) and the other called the ‘publish server’ where the master publishes messages that the minions can connect and subscribe to. A patch management tool can patch these vulnerabilities.
Saltstack Salt Vulnerabilities exist in the way the’ request server’ handles incoming messages allowing to bypass authentication and authorization controls. The attacker can then publish arbitrary control messages, read and write files anywhere on the ‘master’ server file system and steal the secret key used to authenticate to the master as root. In other words, an attacker can exploit the flaws to execute administrative commands on the master server and also allow salt minions to run malicious commands as well. This will result in a complete takeover of both the master and all minions that connect to it.
Results:
-
- Authentication Bypass (CVE-2020-11651)
Salt’s master script uses a class ‘ClearFuncs‘ which accepted all commands without authentication. This class in salt-master processes all unauthenticated requests and thus the methods present like ‘_send_pub‘ and ‘_prep_auth_info‘ used to run arbitrary commands on the minions as well as the master. The ‘_send_pub’ method can used to queue messages directly on the master publish server which will then trigger minions to run arbitrary commands as root. On the other hand, ‘_prep_auth_info‘ method once invoked will return the ‘root key’ used to authenticate commands from the local root user on the master server. This ‘root key’ can used to remotely call administrative commands on the master server. - Directory Traversal (CVE-2020-11652)
The ‘wheel‘ module present in salt contains commands used to read and write files under specific directory paths. There is an error during concatenation of input with the target directory as the resulting path is not canonicalized. This can lead to an escape of the intended path restriction. The ‘salt.tokens.localfs‘ class via method ‘get_token‘ fails to sanitize the token input parameter used as a filename, allowing insertion of “..” path elements and thus reading of files outside of the intended directory.
- Authentication Bypass (CVE-2020-11651)
Impact of Saltstack Salt Vulnerabilities
The exploitation of these vulnerabilities could allow attackers to execute arbitrary commands on the target systems.
Affected Products by Saltstack Salt Vulnerabilities
SaltStack Salt before 2019.2.4 and 3000 before 3000.2
Solution
SaltStack has released security fixes for these vulnerabilities.
- SaltStack Salt 2019.2.4 or 3000.2 or higher
SanerNow detects these vulnerabilities. We strongly recommend installing these security updates without any delay.