Two critical vulnerabilities in the software of the open-source Salt project have been awarded the highest possible CVSS score of 10!
Security Company F-Secure warned that “we expect that any competent hacker will be able to create 100 percent reliable exploits for these issues in under 24 hours”
WHAT IS THIS SALT?
The “Salt” management framework by the company SaltStack is widely used as a configuration tool to manage servers in data centers, including in cloud environments.
The vulnerabilities, in Salt master versions 3001 and earlier, were patched yesterday by SaltStack, but F-Secure has warned that over 6,000 instances of this service are exposed to the public Internet and likely not configured to automatically update the salt software packages.
WHAT IS THE VULNERABILITY?
The vulnerabilities described in this advisory allocated CVE-2020-11651 and CVE-2020-11652, allow an attacker who can connect to the “request server” port to bypass all authentication and authorization controls, ultimately gaining full remote command execution as root.
- One is an authentication bypass where functionality was unintentionally exposed to unauthenticated network clients
- The other is a directory traversal where untrusted input (i.e. parameters in network requests) was not sanitised correctly allowing access to the entire filesystem of the master server.
HOW TO BE SAFE
Patches are available for both the latest and the previous major release version is also available, with version number 2019.2.4.
Apply Network Security Controls
F-Secure said: “Adding network security controls that restrict access to the salt-master (ports 4505 and 4506 being the defaults)… or at least block the wider Internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks.”
MANY SYSTEMS STILL AT RISK
6,000 sysadmins have not paid attention and have not blocked access to those systems from the internet, leaving their systems at risk.
During the weekend, attackers successfully leveraged the flaws to gain access to the infrastructure of the LineageOS project, the Ghost blogging platform, and one of the Certificate Transparency logs (CT2) operated by DigiCert. In all three cases, the attackers’ goal was to install crypto miners.