Full remote command execution as root
Two critical vulnerabilities in the software of the open source Salt project have been awarded the highest possible CVSS score of 10 — with security company F-Secure today warning that “we expect that any competent hacker will be able to create 100 percent reliable exploits for these issues in under 24 hours.”
The “Salt” management framework by the company SaltStack is widely used as a configuration tool to manage servers in data centres, including in cloud environments. The vulnerabilities, in Salt master versions 3001 and earlier, were patched yesterday by SaltStack, but F-Secure has warned that over 6,000 instances of this service are exposed to the public Internet and likely not configured to automatically update the salt software packages.
Salt Vulnerability: What’s Happened?
The vulnerabilities described in this advisory allow an attacker who can connect to the “request server” port to bypass all authentication and authorisation controls, ultimately gaining full remote command execution as root.
The vulnerabilities have been allocated CVE-2020-11651 and CVE-2020-11652.
One is an authentication bypass where functionality was unintentionally exposed to unauthenticated network clients The other is a directory traversal where untrusted input (i.e. parameters in network requests) was not sanitised correctly allowing access to the entire filesystem of the master server.
Patches are available for both the latest and the previous major release version is also available, with version number 2019.2.4.
F-Secure said: “Adding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults)… or at least block the wider Internet, would also be prudent as the authentication and authorisation controls provided by Salt are not currently robust enough to be exposed to hostile networks.”
Salt’s guidance already recommends that Salt masters are not connected to the public internet. 6,000 sysadmins have not paid attention or needed that access for whatever reason.
F-Secure said it is not releasing a proof-of-concept in order to reduce risk for those slow to patch. The company added: “We will leave exploitation as an exercise for the reader.”