Two severe & serious security flaws have now been discovered in the open-source SaltStack Sat configuration framework, that could let a hacker execute their arbitrary code on remote servers deployed in Data Centres & cloud environments.
F-Secure
Vulnerabilities were identified by F-Secure in March & disclosed only yesterday, the day after SaltStack released a patch (version 3000.2) addressing the issues, which were rated with CVSS score 10.
“The vulnerabilities, allocated CVE IDs CVE-2020-11651 and CVE-2020-11652, are of 2 different classes,” the cybersecurity firm said.
Authentication Bypass
“One being authentication bypass where functionality was unintentionally exposed to unauthenticated network clients, the other being directory traversal where untrusted input (i.e., parameters in network requests) was not sanitised correctly allowing unconstrained access to the entire file system of the master server.”
Researchers have warned that the flaws could be exploited soon. SaltStack is also asking users to follow the best practices to secure the Salt environment.
Vulnerabilities
Salt is a powerful Python-based automation & remote execution engine that is intended to allow users to issue commands to multiple machines directly.
Built as a utility to monitor & update the state of servers, Salt uses a ‘master-slave architecture’ that automates the process of pushing out configuration & software updates from a central repository using a “master” node that deploys the changes to a target group of “minions” (e.g., servers).
Master & Minion
The communication between a master & minion happens over the ZeroMQ message bus. Additionally, the master uses 2 ZeroMQ channels, a “request server” to which minions report the execution results & a “publish server,” where the master publishes messages that the minions can connect and subscribe to.
According to the F-Secure research, the 2 problems live inside the tool’s ZeroMQ protocol.
“The vulnerabilities described in this advisory allow an attacker who can connect to the ‘request server’ port to bypass all authentication & authorisation controls & publish arbitrary control messages, read & write files anywhere on the ‘master’ server file system & steal the secret key used to authenticate to the master as root,” the researchers have concluded.
Remote Command Execution
“The impact is full remote command execution as root on both the master & all minions that connect to it.”
Thus, an attacker can exploit the defects to call administrative commands on the master server as well as queue messages directly on the master publish server, so allowing the salt minions to run their malicious commands.
In addition, a ‘directory traversal’ vulnerability has been identified in the wheel module, which has functions to read & also write files to specific locations & can permit reading of files outside of the intended directory, due to a failure to properly sanitise file paths.
How to Detect Vulnerable Salt Masters
F-Secure researchers revealed a first scan revealed more than 6,000 vulnerable Salt instances that were exposed to the public internet.
Detecting possible attacks against susceptible masters means auditing published messages to minions for any malicious content at all. “Exploitation of the authentication vulnerabilities will result in the ASCII strings “_prep_auth_info” or “send_pub” appearing in data sent to the request server port (default 4506),” it added.
Update
It’s strongly recommended that Salt users update the software packages to the latest version.
“Adding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider Internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks,” researchers have concluded.
