The open-source Salt management framework contains high-severity security vulnerabilities that allow full remote code execution as root on servers in data centers and cloud environments. And in-the-wild attacks are expected imminently.
According to F-Secure researchers, the framework, authored by the company SaltStack but also used as an open-source configuration tool to monitor and update the state of servers, has a pair of flaws within its default communications protocol, known as ZeroMQ.
A bug tracked as CVE-2020-11651 is an authentication bypass issue, while CVE-2020-11652 is a directory-traversal flaw where untrusted input (i.e. parameters in network requests) is not sanitized correctly. This in turn allows access to the entire filesystem of the master server, researchers found.
The bugs are especially dangerous given the topography of the Salt framework.
âEach server [managed by Salt] runs an agent called a âminion,â which connects to a âmaster,'â explained F-Secure, in a writeup on Thursday. â[A master is a] Salt installation that collects state reports from minions and publishes update messages that minions can act on.â
These update messages are usually used to change the configuration of a selection of servers, but they can also be used to push out commands to multiple, or even all, of the managed systems, researchers said. An adversary thus can compromise the master in order to send malicious commands to all of the other servers in the cluster, all at the same time.
To communicate, the master uses two ZeroMQ channels. As F-Secure explained, one is a ârequest serverâ where minions can connect to report their status (or the output of commands). The other is a âpublish serverâ where the master publishes messages that the minions can connect and subscribe to.
The authentication bypass can be achieved because the ClearFuncs class processes unauthenticated requests and unintentionally exposes the â_send_pub().â This is the method used to queue messages from the master publish server to the minions â and thus can be used to send arbitrary commands. Such messages can be used to trigger minions to run arbitrary commands as root.
Also, âthe ClearFuncs class also exposes the method _prep_auth_info(), which returns the root key used to authenticate commands from the local root user on the master server. This root key can then be used to remotely call administrative commands on the master server. This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master.â
As for the directory traversal, the âwheelâ module contains commands used to read and write files under specific directory paths.
âThe inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction,â according to the writeup. âThe get_token() method of the salt.tokens.localfs class (which is exposed to unauthenticated requests by the ClearFuncs class) fails to sanitize the token input parameter which is then used as a filename, allowingâŠthe reading of files outside of the intended directory.â
The bugs together allow attackers âwho can connect to the request server port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the master server filesystem and steal the secret key used to authenticate to the master as root,â according to the firm.
According to the National Vulnerability Database, âThe salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.â
F-Secure said that it expects to see attacks in the wild very shortly.
âWe expect that any competent hacker will be able to create 100 percent reliable exploits for these issues in under 24 hours,â the researchers said, citing the âreliability and simplicityâ of exploitation.
Unfortunately, the firm also said that a preliminary scan has revealed more than 6,000 potentially vulnerable Salt instances exposed to the public internet.
Patches are available in release 3000.2. Also, âadding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks,â F-Secure concluded.
To detect a compromise, ASCII strings â_prep_auth_infoâ or â_send_pubâ will show up in the request server port data (default 4506).
Also on the detection front, âpublished messages to minions are called âjobsâ and will be saved on the master (default path /var/cache/salt/master/jobs/). These saved jobs can be audited for malicious content or job IDs (âjidsâ) that look out of the ordinary,â F-Secure noted.
_Inbox security is your best defense against todayâs fastest growing security threat â phishing and Business Email Compromise attacks. _On May 13 at 2 p.m. ET_, join Valimail security experts and Threatpost for a FREE webinar, _5 Proven Strategies to Prevent Email Compromise_. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please __register here _for this sponsored webinar.
Also, donât miss our latest on-demand webinar from DivvyCloud and Threatpost,A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.
attendee.gotowebinar.com/register/4136632530104301068?source=art
docs.saltstack.com/en/getstarted/system/communication.html
github.com/saltstack/salt
labs.f-secure.com/advisories/saltstack-authorization-bypass
register.gotowebinar.com/register/5064791868226032141?source=ART
register.gotowebinar.com/register/5064791868226032141?source=ART
register.gotowebinar.com/register/5064791868226032141?source=ART
threatpost.com/newsletter-sign/