SaltStack revises partial patch for command injection, privilege escalation vulnerability

The second fix was reportedly necessary after SaltStack did not participate in coordinated disclosure.
Written by Charlie Osborne, Contributing Writer

The Salt Project has issued a secondary fix for a command injection vulnerability after the first attempt to patch the issue partially failed.

The vulnerability, tracked as CVE-2020-28243, impacts SaltStack Salt before 3002.5. SaltStack Salt is automation and infrastructure software made available to the open source community. 

"The minion's restartcheck is vulnerable to command injection via a crafted process name," the bug's description reads. "This allows for a local privilege escalation (LPE) by any user able to create files on the minion in a non-blacklisted directory."

The vulnerability was discovered by Immersive Labs' security researcher Matthew Rollings in November 2020. If exploited, the command injection bug could allow attackers to craft process names and elevate their privileges on a local level. 

Container escapes were also possible, and as long as particular conditions were met, remote users may be able to tamper with process names -- although this would be a difficult attack to pull off.  

CVE-2020-28243 was resolved on February 4 as part of a wider security release. At least, in part. 

According to Rollings, the fix for the LPE security flaw did prevent command injection, but did not go far enough and still allowed argument injections. While not as severe as the original issue, failing to patch this problem could have led to denial-of-service and software crashes. 

The first fix issued by the Salt Project added shlex, a command shell sanitizing library, to prevent command injections. 

"The developer that added this fix made an error," Rollings explained. "Their usage of shlex does not provide any additional protection. The shlex.split function takes an input string and splits it into the command and its arguments using spaces as the delimiter. We control the package variable, which means we can inject additional arguments into the command."

According to the researcher, argument injections can still occur even if sanitization is in place, under the same conditions. 

SaltStack's fix was issued without coordinated disclosure with Immersive Labs, a factor that the cybersecurity firm says prevented the patch from being adequately tested. 

"If they had communicated on the solution, the issue would have been spotted and a secondary fix wouldn't have been necessary," the company says. 

However, once the error in the patch was noticed and reported, SaltStack then privately shared the second attempt prior to publication. 

The second fix, issued on March 23, now builds arrays to stop package names from being tampered with.

"Thankfully, the second time around SaltStack shared the fix for approval before publication," Rollings says. "This is a step in the right direction and shows more of a proactive than reactive approach to security, which is always better in the long run."

ZDNet has reached out to the Salt Project and we will update when we hear back. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards