SaltStack has officially revealed three bugs in its code – two of them seemingly critical – and told users: “We strongly recommend that you prioritize this update.” But the biz appears to have known about the bugs for months and quietly patched them over the summer.
SaltStack offers open-source, Python-based automation tools. It was acquired by VMware in October, and Virtzilla hailed the deal as completing and extending its automation offerings and to help it provide a full-stack offering.
However, VMware acquired three bugs along the way. They’re formally known as CVE-2020-16846, CVE-2020-17490, and CVE-2020-25592.
The first means “an unauthenticated user with network access to the Salt API can use shell injections to run code on the Salt-API using the SSH client.” The second “improperly validates eauth credentials and tokens,” which means a miscreant could bypass authentication and drive Salt in evil ways.
CVE-2020-17490 is much less serious as it involves lax assessment of key validity.
SaltStack has made patches available via GitLab.
However, sharp-eyed observers have noticed a GitHub commit on August 19 that addresses CVE-2020-16846 in SaltStack's code, yet it took until now for a formal advisory to be issued. That makes disclosure of the bugs today – US election day – feel a little like trying to hide bad news. And given that today is full of distractions, it's also not the best way to spread the word of bugs that SaltStack says should be at the top of users’ to-do lists.
Similarly, CVE-2020-17490 was addressed here on GitHub in August, and CVE-2020-2559 here. SaltStack credited Trend Micro's ZDI team for finding a couple of the bugs, and we note that ZDI reported those holes to the vendor in June, making the early November disclosure all the more weird.
Another thing to note: SaltStack is handling this one alone. New parent VMware has not issued a security advisory. ®