Critical Vulnerability in Salt Requires Immediate Patching
The Salt community has been aware of a critical vulnerability in Salt Master versions since late last week. It was informed that the vulnerability has a CVSS rating of 10.0, that Salt Masters should not be exposed to the internet, and that fixes would be released this week.
More warnings appeared early this week. F-Secure’s Mikko Hypponen (F-Secure had discovered two vulnerabilities earlier this year) tweeted on Monday, 27 April: “The vulnerability in Salt Master 3000.1 has been rated with a CVSS of 10.0″ (on a scale from 1 to 10)”. Today, SaltStack patches are available, an advisory has been published, and F-Secure has blogged on the process. Users of Salt should consider the blog’s opening words: “Patch by Friday or compromised by Monday.”
Salt is an open source project managed by SaltStack, and is a popular configuration tool for managing servers in data centers and cloud environments. A Salt Master connects to agents on possibly hundreds of other servers called minions. It collects state reports from the minions, and publishes update messages that the minions can action. Typically, these are configuration updates.
The two vulnerabilities discovered by F-Secure are detailed in an advisory published today: an authentication bypass (CVE-2020-11651) and a directory traversal (CVE-2020-11652). Both have been patched by SaltStack engineers in release 3000.2 (with a separate patch release for the previous major version).
The authentication bypass exists because a ClearFuncs class processes unauthenticated requests but unintentionally exposes the _send_pub() method — which can be used to trigger the minions to run arbitrary commands as root. ClearFuncs can also be used to obtain the ‘root key’ used to authenticate commands from the local root user on the master server. Ultimately, this provides a remote unauthenticated attacker with root-equivalent access to the Salt Master.
The directory traversal vulnerability is caused by ClearFuncs allowing unauthenticated tokens that are then not sanitized when used as a filename. This allow, warns the advisory, “insertion of ‘..’ path elements and thus reading of files outside of the intended directory.”
“We expect,” warns F-Secure, “that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours,” reinforcing the need for Salt users to patch immediately.
In an accompanying blog, F-Secure warns that attackers could simply use the master/minion relationship to mine cryptocurrencies across possibly hundreds of servers, or they could install backdoors to explore the network — leading to the potential for data theft or extortion. Of particular concern to F-Secure is the large number of 6000 Salt Masters found exposed to the internet.
“I was expecting the number to be a lot lower,” said F-Secure principal consultant Olle Segerdahl. “There’s not many reasons to expose infrastructure management systems, which is what a lot of companies use Salt for, to the internet. When new vulnerabilities go public, attackers always race to exploit exposed, vulnerable hosts before admins patch or hide them. So, if I were running one of these 6000 masters, I wouldn’t feel comfortable leaving work for the weekend knowing it’s a target.”
Alex Peay, SVP of product and marketing at SaltStack, told SecurityWeek, “A critical vulnerability was discovered in Salt Master versions 2019.2.3 and Salt 3000 versions 3000.1 and earlier. The vulnerability occurs if a Salt Master is exposed to the open internet. Upon notification, SaltStack took immediate action to remediate the vulnerability, develop and issue patches, and communicate to our customers about the affected versions so they can prepare their systems for update.”
While exposing a Salt Master to the internet makes an attack both easier and more likely, the vulnerability itself isn’t dependent on that exposure. “While attackers will have a more difficult time reaching hosts hidden from the internet, they can still exploit them by accessing corporate networks in other ways first,” warns F-Secure.
Related: Stop Using CVSS to Score Risk