Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
rapid7blogBoB RudisRAPID7BLOG:54F1D96262CFC427DBA32564C2E47A77
HistoryNov 10, 2020 - 2:22 p.m.

SaltStack Pre-Authenticated Remote Root (CVE-2020-16846 and CVE-2020-25592): What You Need to Know

2020-11-1014:22:33
boB Rudis
blog.rapid7.com
74
JSON

What’s up?

SaltStack Pre-Authenticated Remote Root CVE-2020-16846 and CVE-2020-25592: What You Need to Know

We start the November critical vulnerability season with a pair of CVEs—CVE-2020-16846 and CVE-2020-25592—that, when combined, can result in unauthenticated remote root access on a target system. SaltStack developers disclosed these weaknesses on Nov. 3, 2020 and have released patches for these weaknesses.

Before reading on, Rapid7 advises all SaltStack users to patch their systems as quickly as possible. If at all possible, please don’t wait for your typical patch cycle to apply SaltStack security updates. There are no known mitigations or workarounds as of Nov. 9, 2020. As noted in the aforelinked AttackerKB Rapid7 analysis: “Pre-authenticated remote root is the gold-medal standard for attackers, and it took Rapid7 researchers all of 15 minutes and a single HTTP request to get there.”

SaltStack vulnerability information, exposure details, and attacker activity

SaltStack developers noted that the following versions are affected:

  • 3002
  • 3001.1, 3001.2
  • 3000.3, 3000.4
  • 2019.2.5, 2019.2.6
  • 2018.3.5
  • 2017.7.4, 2017.7.8
  • 2016.11.3, 2016.11.6, 2016.11.10
  • 2016.3.4, 2016.3.6, 2016.3.8
  • 2015.8.10, 2015.8.13

While none of the CVEs have a rating (yet), these combined weaknesses are trivial to exploit and result in complete system compromise, which will happen, since CVE-2020-11651, another SaltStack vulnerability from April 2020, was exploited quickly by threat actors. We fully expect CVEs 2020-16846 and 2020-25592 to follow that same path.

SaltStack Pre-Authenticated Remote Root CVE-2020-16846 and CVE-2020-25592: What You Need to Know

Rapid7 Labs thankfully only discovered 215 vulnerable SaltStack servers in November 2020 scans, but that doesn’t mean your internal SaltStack nodes will not be identified and compromised by attackers who gain footholds as a result of phishing attacks.

There are no mitigations for these vulnerabilities. You must patch your systems to be safe. As of Nov. 9, 2020, Rapid7 Labs Project Heisenberg, our global honeypot network, did not detect any malicious SaltStack activity, but that will likely change very quickly.

Final guidance

Along with patching, organizations should monitor SaltStack API logs very closely for anomalous activity going back to at least Nov. 3, 2020 and until/after affected SaltStack systems are patched.

Given that there have been two severe SaltStack weakness episodes in one calendar year, Rapid7 further suggests organizations increase monitoring for anomalies in general on SaltStack systems and stay on top of vulnerability announcements from the SaltStack developers.

Vulnerable to CVE-2020-16846 and CVE-2020-25592? Scan Your Environment Today to Find Out.

Get Started

Related

attackerkb 4
packetstorm 3
zdt 4
nessus 35
suse 6
debian 9
gentoo 1
osv 11
freebsd 2
archlinux 2
rapid7blog 1
redhatcve 3
debiancve 3
ubuntucve 3
prion 3
alpinelinux 3
veracode 3
trendmicroblog 2
cve 3
zdi 5
githubexploit 11
metasploit 3
cisa_kev 2
checkpoint_advisories 2
nuclei 1
thn 3
openvas 3
cisa 1
threatpost 3
cisco 1
huawei 1
vmware 1
fedora 3
photon 4
exploitdb 1
ubuntu 1
attackerkb
attackerkb
CVE-2020-16846 — SaltStack Unauthenticated Shell Injection
2020-11-06 00:00:00
CVE-2020-25592 — SaltStack Authentication Bypass and Salt SSH Command Execution
2020-11-06 00:00:00
CVE-2020-11651
2020-04-30 00:00:00
packetstorm
packetstorm
SaltStack Salt REST API Arbitrary Command Execution
2020-11-12 00:00:00
Saltstack 3000.1 Remote Code Execution
2020-05-05 00:00:00
SaltStack Salt Master/Minion Unauthenticated Remote Code Execution
2020-05-12 00:00:00
zdt
zdt
SaltStack Salt REST API Arbitrary Command Execution Exploit
2020-11-12 00:00:00
Saltstack 3000.1 - Remote Code Execution Exploit
2020-05-04 00:00:00
Saltstack 3000.1 Remote Code Execution Exploit
2020-05-07 00:00:00
nessus
nessus
SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:3155-1)
2020-12-09 00:00:00
SUSE SLES11 Security Update : SUSE Manager Client Tools (SUSE-SU-2020:14538-1)
2021-06-10 00:00:00
SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:3243-1)
2020-12-09 00:00:00
suse
suse
Security update for salt (critical)
2020-11-05 00:00:00
Security update for salt (critical)
2020-11-07 00:00:00
Security update for salt (critical)
2021-07-11 00:00:00
debian
debian
[SECURITY] [DSA 4837-1] salt security update
2021-01-24 15:29:40
[SECURITY] [DLA 2480-1] salt security update
2020-12-04 17:33:51
[SECURITY] [DSA 4837-1] salt security update
2021-01-24 15:29:40
gentoo
gentoo
Salt: Multiple vulnerabilities
2020-11-11 00:00:00
osv
osv
salt - security update
2020-12-04 00:00:00
salt - security update
2021-01-24 00:00:00
CVE-2020-25592
2020-11-06 08:15:13
freebsd
freebsd
salt -- multiple vulnerabilities
2020-11-06 00:00:00
salt -- multiple vulnerabilities in salt-master process
2020-04-30 00:00:00
archlinux
archlinux
[ASA-202011-7] salt: multiple issues
2020-11-10 00:00:00
[ASA-202005-1] salt: multiple issues
2020-05-05 00:00:00
rapid7blog
rapid7blog
Metasploit Wrap-Up
2020-11-13 19:08:01
redhatcve
redhatcve
CVE-2020-25592
2020-11-06 17:59:28
CVE-2020-16846
2020-11-06 17:29:13
CVE-2020-11651
2020-05-06 17:39:55
debiancve
debiancve
CVE-2020-25592
2020-11-06 08:15:00
CVE-2020-11651
2020-04-30 17:15:00
CVE-2020-16846
2020-11-06 08:15:00
ubuntucve
ubuntucve
CVE-2020-25592
2020-11-06 00:00:00
CVE-2020-11651
2020-04-30 00:00:00
CVE-2020-16846
2020-11-06 00:00:00
prion
prion
Authentication flaw
2020-11-06 08:15:00
Design/Logic Flaw
2020-11-06 08:15:00
Authentication flaw
2020-04-30 17:15:00
alpinelinux
alpinelinux
CVE-2020-25592
2020-11-06 08:15:00
CVE-2020-16846
2020-11-06 08:15:00
CVE-2020-11651
2020-04-30 17:15:00
veracode
veracode
Shell Injection
2020-11-10 05:27:00
Authentication Bypass
2021-04-29 12:14:32
Authentication Bypass
2020-05-04 05:37:27
trendmicroblog
trendmicroblog
This Week in Security News: US Cyber Command Exposes New Russian Malware and REvil Ransomware Gang ‘Acquires’ KPOT Malware
2020-11-06 13:42:03
This Week in Security News: How the Cybercriminal Underground Has Changed in 5 Years and the NSA Warns of New Sandworm Attacks on Email Servers
2020-05-29 12:27:26
cve
cve
CVE-2020-25592
2020-11-06 08:15:00
CVE-2020-16846
2020-11-06 08:15:00
CVE-2020-11651
2020-04-30 17:15:00
zdi
zdi
SaltStack Salt rest_cherrypy ssh_options Command Injection Remote Code Execution Vulnerability
2020-11-24 00:00:00
SaltStack Salt rest_cherrypy tgt Command Injection Remote Code Execution Vulnerability
2020-11-24 00:00:00
SaltStack Salt rest_cherrypy ssh_remote_port_forwards Command Injection Remote Code Execution Vulnerability
2020-11-24 00:00:00
githubexploit
githubexploit
Exploit for CVE-2020-11651
2020-05-09 11:22:25
Exploit for OS Command Injection in Saltstack Salt
2021-10-14 10:09:48
Exploit for CVE-2020-11651
2021-10-01 14:33:29
metasploit
metasploit
SaltStack Salt REST API Arbitrary Command Execution
2020-11-11 19:09:26
SaltStack Salt Master Server Root Key Disclosure
2020-05-11 17:05:38
SaltStack Salt Master/Minion Unauthenticated RCE
2020-05-11 17:05:38
cisa_kev
cisa_kev
SaltStack Salt Shell Injection Vulnerability
2021-11-03 00:00:00
SaltStack Salt Authentication Bypass Vulnerability
2021-11-03 00:00:00
checkpoint_advisories
checkpoint_advisories
SaltStack Salt API SSH Client Command Injection (CVE-2020-16846)
2021-11-16 00:00:00
Saltstack Salt Authentication Bypass (CVE-2020-11651; CVE-2020-11652)
2020-05-05 00:00:00
nuclei
nuclei
SaltStack <=3002 - Shell Injection
2020-11-18 17:21:07
thn
thn
Hackers Breach LineageOS, Ghost, DigiCert Servers Using SaltStack Vulnerability
2020-05-04 04:00:00
Critical SaltStack RCE Bug (CVSS Score 10) Affects Thousands of Data Centers
2020-05-01 13:04:00
Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems
2021-08-23 13:27:00
openvas
openvas
openSUSE: Security Advisory for salt (openSUSE-SU-2020:0564-1)
2020-05-01 00:00:00
Debian LTS: Security Advisory for salt (DLA-2223-1)
2020-05-31 00:00:00
Debian: Security Advisory for salt (DSA-4676-1)
2020-05-07 00:00:00
cisa
cisa
SaltStack Patches Critical Vulnerabilities in Salt
2020-05-01 00:00:00
threatpost
threatpost
Hackers Exploit Critical Flaw in Ghost Platform with Cryptojacking Attack
2020-05-04 19:23:41
Salt Bugs Allow Full RCE as Root on Cloud Servers
2020-04-30 20:54:50
Hackers Compromise Cisco Servers Via SaltStack Flaws
2020-05-28 20:51:25
cisco
cisco
SaltStack FrameWork Vulnerabilities Affecting Cisco Products
2020-05-28 16:00:00
huawei
huawei
Security Advisory - Two Vulnerabilities in SaltStack Salt
2020-07-15 00:00:00
vmware
vmware
vRealize Operations Application Remote Collector (ARC) addresses Authentication Bypass and Directory Traversal vulnerabilities (CVE-2020-11651, CVE-2020-11652)
2020-05-08 00:00:00
fedora
fedora
[SECURITY] Fedora 33 Update: salt-3002.1-1.fc33
2020-11-06 01:15:59
[SECURITY] Fedora 31 Update: salt-3001.3-1.fc31
2020-11-07 00:23:23
[SECURITY] Fedora 32 Update: salt-3001.3-1.fc32
2020-11-06 01:23:17
photon
photon
Critical Photon OS Security Update - PHSA-2020-0091
2020-05-15 00:00:00
Critical Photon OS Security Update - PHSA-2020-3.0-0091
2020-05-15 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2020-1.0-0294
2020-05-14 00:00:00
exploitdb
exploitdb
Saltstack 3000.1 - Remote Code Execution
2020-05-05 00:00:00
ubuntu
ubuntu
Salt vulnerabilities
2020-08-13 00:00:00
JSON
Related for RAPID7BLOG:54F1D96262CFC427DBA32564C2E47A77
attackerkb4packetstorm3zdt4nessus35suse6debian9gentoo1osv11freebsd2archlinux2rapid7blog1redhatcve3debiancve3ubuntucve3prion3alpinelinux3veracode3trendmicroblog2cve3zdi5githubexploit11metasploit3cisa_kev2checkpoint_advisories2nuclei1thn3openvas3cisa1threatpost3cisco1huawei1vmware1fedora3photon4exploitdb1ubuntu1