SaltStack Salt critical bugs allow data center, cloud server hijacking as root

Researchers expect the vulnerabilities to be exploited in the wild within days.
Written by Charlie Osborne, Contributing Writer

The developers of the open source SaltStack Salt management framework, used in data centers and cloud servers, have warned users to update their builds following the discovery of critical remote code execution vulnerabilities. 

Researchers from F-Secure disclosed the bugs on Thursday. Tracked as CVE-2020-11651 and CVE-2020-11652, the vulnerabilities have been issued high-severity ratings and are deemed critical enough that the team responsible for finding the flaws will not release any Proof-of-Concept (PoC) code. 

"We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours," F-Secure said. 'Due to reliability and simplicity of exploitation, F-Secure will not be providing proof-of-concept exploit code as this would only harm any users who are slow to patch."

The vulnerabilities are present in SaltStack Salt versions prior to 2019.2.4 and 3000.2. 

See also: GitLab awards researcher $20,000, patches remote code execution bug

Servers running Salt have a "minion" API agent that connects to a "master" installation of the software. Reports on the state of minion servers are sent to the master node, which in turn, is able to publish update messages such as configuration changes that can be rolled out to any servers under its management. 

The communication protocol in use is ZeroMQ, of which two instances -- the "request" and "publish" servers -- are exposed. 

The first bug, CVE-2020-11651, is an authentication bypass, whereas the second, CVE-2020-11652, is a directory traversal security flaw. 

CVE-2020-11651 was caused by the ClearFuncs class, which exposes the _send_pub() and _prep_auth_info() methods. Messages can be used to trigger minions to run arbitrary commands and the root key can also be fetched to call administrative commands on the master server.

"This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the Salt master," the researchers say. 

CNET: Google cracks down on spammy Chrome extensions with new policy updates

CVE-2020-11652 relates to the Salt wheel module, which contains commands for read/write functions under specific directory paths. A failure to sanitize led to an opportunity for attackers to rewrite path elements, wth token grab classes also exposed via the ClearFuncs class vulnerability. 

Together, the bugs permitted attackers to connect to request server ports to bypass authentication checks and to publish arbitrary messages, as well as access the full file system of a master server, steal the key used to authenticate to master servers as root, and remotely execute code on not only the master system but all minions connected to the framework. 

TechRepublic: How to check for weak passwords on your Linux systems with John the Ripper

SaltStack developers were informed of the vulnerabilities on March 16. As SaltStack triaged the issues, F-Secure conducted a scan for Internet-facing instances, finding over 6,000 cases of potentially vulnerable systems. 

By April 23, the developers alerted community members (.PDF) to an incoming patch and urged users to make sure their Salt masters were not exposed to the Internet. Fixes for the critical flaws, published in software versions 2019.2.4 and 3000.2, were released on April 29.

The biggest Internet of Things, smart home hacks of 2019

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards