DevSecOoops

Newly discovered critical vulnerabilities in the popular ‘Salt’ remote task and configuration framework pose a threat for data centers and cloud environments.

The security flaws – discovered by researchers at F-Secure and patched by vendor SaltStack on Wednesday – create a means for attackers to bypass authentication and authorization settings and take control of cloud-hosted servers.

Successful exploitation of the vulnerabilities would allow an attacker to execute code remotely with root privileges on the master central repository.

This opens up a range of possibilities from using hijacked systems for crypto-mining, to installing backdoors into systems or (even worse) ransomware attacks.

Salt shaker

The open source Salt project is at the center of vendor SaltStack’s product range whilst also being popular in its own right as a configuration tool to manage servers in both data center and cloud environments.

The technology is used to monitor, configure, and update the state of servers, among other applications.

Salt frameworks consist of a ‘master’ server which acts as a central repository to control ‘minion’ agents that carry out tasks and collect data for the system.

The security flaws discovered by the F-Secure team fall into two different classes: authentication bypass (CVE-2020-11651) and directory traversal (CVE-2020-11652).

F-Secure explains that, put together, the flaws would allow an attacker who can connect to the ‘request server’ port to “bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the ‘master’ server filesystem and steal the secret key used to authenticate to the master as root”.

“The impact is full remote command execution as root on both the master and all minions that connect to it,” a technical advisory from the Finnish security firm warns.

After notification from F-Secure in March and subsequent confirmation of a problem, SaltStack engineers patched these vulnerabilities in release 3000.2, released on Wednesday (April 29).

Sysadmins are urged to update their systems.

Exposed systems

F-Secure came across the issue in the course of making a security assessment for a client, a Salt user.

During the disclosure process F-Secure researchers discovered that 6,000 Salt masters openly discoverable on the internet, which if found, might be exploited by cybercriminals or worse to take control of the server with administrative privileges.

F-Secure researchers suspects not all the potentially exposed systems have been configured to apply security updates automatically.

Perhaps mindful of this risk, SaltStack last week published advance notice to their users urging them not to expose salt masters and letting them a critical security update, since delivered, was in the works.

Olle Segerdahl, principal consultant at F-Secure, told The Daily Swig: “All users should make sure that they only expose their Salt master to trusted minions, definitely not to the public internet.”

SaltStack is yet to respond to our request for comment on F-Secure’s findings. We’ll update this story as and when more information comes to hand.

Asked to comment on the wider lessons other developers might take from the episode, Segerdahl said: “Don’t expose ‘infrastructure services’ to hostile networks, these types of software packages usually run in a protected network environment and have often not received much security scrutiny.

“Conversely, if you do have to expose a service on a network, get some assurance that it's fit for that purpose by hiring a professional to take a look at it.”


READ MORE Severe Netsweeper zero-day leaves gaping hole in users’ networks