Two critical vulnerabilities have been found in SaltStack’s open source Salt remote task and configuration framework which could let an attacker to execute arbitrary code on remote servers placed in data centers and cloud environments.
F-Secure researchers discovered these flaws in early March and were revealed this Thursday when SaltStack released a patch addressing the issues, rated with CVSS score 10.
The vulnerabilities which has been dubbed as CVE IDs CVE-2020-11651 and CVE-2020-11652, are of two different classes. One is an authentication bypass where functionality was unintentionally exposed to unauthenticated network clients and the second is a directory traversal where untrusted input was not cleaned correctly allowing unconstrained access to the entire filesystem of the master server.
The researchers warned that the flaws could be exploited in the wild soon and SaltStack is also recommending the users to follow the best practices to secure the Salt environment.
Salt is a powerful Python-based automation and remote execution engine which is designed to let users to issue commands to multiple machines directly.
It was built as a utility to monitor and update the state of servers. Salt has a master-slave architecture that automates the process of pushing out configuration and software updates from a central repository using a “master” node that deploys the changes to a target group of “minions”.
The communication between a master and minion occurs over the ZeroMQ message bus. Besides, the master uses two ZeroMQ channels, a “request server” to which minions report the execution results and a “publish server,” where the master publishes messages that the minions can connect and subscribe to.
The researchers stated that the bugs were found within the tool’s ZeroMQ protocol.
The vulnerabilities would let an attacker who can connect to the ‘request server’ port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the ‘master’ server filesystem and steal the secret key used to authenticate to the master as root. The result is full remote command execution as root on both the master and all minions that connect to it.
According to the F-Secure researchers, more than 6,000 vulnerable Salt instances exposed to the public internet were disclosed on initial scan.
All the Salt users are advised to update the software packages to the latest version.