“We have confirmed that some vulnerable, unpatched systems have been accessed by unauthorised users since the release of the patches.”
Servers are under serious attack right now as threat actors scan the internet for unpatched systems containing SaltStack software, as two previously reported bugs are being widely exploited.
Salt software is used to update and monitor automated servers within enterprise networks, cloud clusters and large-scale data centres. Written in python, the software collects server state reports and is also used for remote task executions.
An array of sites, applications and servers have been affected by the exploitation of two vulnerabilities CVE-2020-11651 and CVE-2020-11652. One is an authentication bypass where functionality was unintentionally exposed to unauthenticated network clients. The other is a directory traversal where untrusted input (i.e. parameters in network requests) was not sanitised correctly allowing access to the entire filesystem of the master server.
One victim of an unpatched system is LineageOS, an Android-based mobile operating system used on smart device and some set-top boxes. It had been completely taken offline following a network intrusion by hackers using the salt CVEs.
Around 8PM PST on May 2nd, 2020 an attacker used a CVE in our saltstack master to gain access to our infrastructure.
We are able to verify that:
– Signing keys are unaffected.
– Builds are unaffected.
– Source code is unaffected.
See https://t.co/85fvp6Gj2h for more info.
— LineageOS (@LineageAndroid) May 3, 2020
A SaltStack spokesperson told Computer Business Review that: “Upon notification of the CVE, SaltStack took immediate action to remediate the vulnerability, develop and issue patches, and communicate to our customers about the affected versions so they can prepare their systems for update.
“Although there was no initial evidence that the CVE had been exploited, we have confirmed that some vulnerable, unpatched systems have been accessed by unauthorised users since the release of the patches. We must reinforce how critical it is that all Salt users patch their systems and follow the guidance we have provided outlining steps for remediation and best practices for Salt environment security”
Node.js blogging platform Ghost has also reported it has been a victim of a breach using the Salt bug.
The attack on Ghost involved the malicious installation of crypto-mining software. This type of attack hijacks a server’s computational power to mine cryptocurrencies. This not only steals compute power from data centres, but is also highly damaging to the hardware as it pushes systems to run at full tilt for extended periods of time.
Ghost’s security teams noted in an advisory: “All traces of the crypto-mining virus were successfully eliminated yesterday, all systems remain stable, and we have not discovered any further concerns or issues on our network. The team is now working hard on remediation to clean and rebuild our entire network.”
The vulnerabilities, in Salt master versions 3001 and earlier, were patched by SaltStack, but F-Secure has warned that more than 6,000 instances of this service are exposed to the public internet and likely not configured to automatically update the salt software packages.
Cybersecurity firm F-Secure noted in a blog addressing the CVEs that they let an attacker: “Connect to the “request server” port to bypass all authentication and authorisation controls and publish arbitrary control messages, read and write files anywhere on the ‘master’ server filesystem and steal the secret key used to authenticate to the master as root. The impact is full remote command execution as root on both the master and all minions that connect to it.”