Salt peppered with holes? Automation tool vulnerable to auth bypass: Patch now

'The impact is full remote command execution as root on both master and all minions'

The Salt configuration tool has patched two vulnerabilities whose combined effect was to expose Salt installations to complete control by an attacker. A patch for the issues was released last night, but systems that are not set to auto-update may still be vulnerable.

The vulnerabilities were discovered by security company F-Secure and assigned CVE numbers CVE-2020-11651 and CVE-2020-11652. They are patched in Salt 3000.2 and, for the previous stable release, 2019.2.4. Older releases will have to be fixed manually.

Salt is a tool from SaltStack which has both commercial and open source editions. It lets you define system components and applications in text as a "salt state" and then apply them to remote systems in a data centre or on a public cloud. In Salt terminology, a Master is a central Salt server which issues commands, and a Minion is a remote process that listens for commands and performs them. The communication protocol is ZeroMQ.

The first vulnerability, CVE-2020-11651, is an authentication bypass which, said F-Secure, "unintentionally exposes the _send_pub() method, which can be used to queue messages directly on the master publish server. Such messages can be used to trigger minions to run arbitrary commands as root."

As if that were not bad enough, CVE-2020-11652 is a directory traversal vulnerability in the "wheel" module used to read and write files. "The inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction," the researchers added. "The impact is full remote command execution as root on both the master and all minions that connect to it."

The implications are severe since it is potentially handing over to the bad actor not only control of servers, but also the ability to configure new resources on clouds such as AWS.

F-Secure is refusing to post a proof of concept exploit as "this would only harm any users who are slow to patch." That said, it is not much protection, since the company also said: "We expect that any competent hacker will be able to create 100 per cent reliable exploits for these issues in under 24 hours."

Disclosure of the vulnerabilities to SaltStack was delayed by several days because the company expects issues to be reported via encrypted and signed emails but the published GPG key for this had expired in 2018, said F-Secure. An updated key was eventually published and a report received by SaltStack on 20th March.

SaltStack obtained CVE numbers in early April and one week ago, on 23rd April, warned users that they should not expose master servers to the internet and should prepare for an urgent patch.

Salt users have had little time to respond, and F-Secure has flagged the concern that: "A scan revealed over 6,000 instances of this service exposed to the public Internet. Getting all of these installs updated may prove a challenge as we expect that not all have been configured to automatically update the salt software packages."

It is difficult to patch open source projects without at the same time revealing the vulnerability, which may be a factor in the disclosure timing.

Exposing a Salt master to the internet is not best practice and firewall security should be implemented. "Adding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider Internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks," continued F-Secure.

A further annoyance is that in fixing the authentication issue the SaltStack developers introduced a bug. "The _minion_runner method should be minion_runner (without the underscore prefix). This typo breaks the publish module's runner method," the docs stated. This may well break scripts in use. A fix for this is promised "in mid-June 2020."

According to a recent Flexera "State of the cloud" report Salt is used by around 17 per cent of organisations with cloud deployments. The newly reported vulnerability shows first that auto-update is worth considering if it is not already enabled, and second, that network security is critical alongside patch management. ®

Similar topics

Other stories you might like

  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading

Biting the hand that feeds IT © 1998–2022