CRITICAL SALTSTACK VULNERABILITIES AFFECTING DATA CENTERS AND CLOUD ENVIRONMENTS
CVE-2020-11651
CVE-2020-11652
Sources
https://www.computerweekly.com/news/252482461/Critical-SaltStack-vulnerability-affects-thousands-of-datacentres
https://labs.f-secure.com/advisories/saltstack-authorization-bypass
https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html
https://docs.saltstack.com/en/latest/topics/releases/3000.2.html
Risks
An attacker could exploit these critical vulnerabilities to execute code remotely with root privileges and publish arbitrary control messages to its minions. The second vulnerability allows a directory traversal attack that gives the attacker unconstrained access to the entire filesystem of the master server.
Description
Salt is an open source management framework, used to monitor and update the state of servers. The Salt project is managed by the company SaltStack. It is also very popular as a configuration tool to manage servers in datacenters and cloud environments.
These vulnerabilities, CVE-2020-11651 and CVE-2020-11652, were discovered in March 2020, and it affects SaltStack’s Salt before version 2019.2.4 and before 3000.2. A security scan was performed and reveals that over 6,000 Salt masters are exposed to the public Internet. Attackers are massively scanning the Internet for vulnerable Salt, and exploiting them immediately when found.
For more detail information regarding theses vulnerabilities please refer to:
Recommended Actions
CERT.be recommends to install the latest version, 2019.2.4 and 3000.2, released by the vendor if your configuration didn’t apply the patches automatically.
It’s also recommended to restrict access to the Salt master ports from the public internet. By default ports 4505 and 4506 are used, but please check your own configuration.