Skip to main content

Critical SaltStack RCE Bug (CVSS Score 10) Affects Thousands of Data Centers

saltstack remote code execution vulnerability

Two severe security flaws have been discovered in the open-source SaltStack Sat configuration framework that could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments.

The vulnerabilities were identified by F-Secure researchers earlier this March and disclosed on Thursday, a day after SaltStack released a patch (version 3000.2) addressing the issues, rated with CVSS score 10.

"The vulnerabilities, allocated CVE IDs CVE-2020-11651 and CVE-2020-11652, are of two different classes," the cybersecurity firm said.

"One being authentication bypass where functionality was unintentionally exposed to unauthenticated network clients, the other being directory traversal where untrusted input (i.e., parameters in network requests) was not sanitized correctly allowing unconstrained access to the entire filesystem of the master server."

The researchers warned that the flaws could be exploited in the wild imminently. SaltStack is also urging users to follow the best practices to secure the Salt environment.

Vulnerabilities in ZeroMQ Protocol


Salt is a powerful Python-based automation and remote execution engine that's designed to allow users to issue commands to multiple machines directly.

Built as a utility to monitor and update the state of servers, Salt employs a master-slave architecture that automates the process of pushing out configuration and software updates from a central repository using a "master" node that deploys the changes to a target group of "minions" (e.g., servers) en masse.

The communication between a master and minion occurs over the ZeroMQ message bus. Additionally, the master uses two ZeroMQ channels, a "request server" to which minions report the execution results and a "publish server," where the master publishes messages that the minions can connect and subscribe to.

According to F-Secure researchers, the pair of flaws reside within the tool's ZeroMQ protocol.

"The vulnerabilities described in this advisory allow an attacker who can connect to the 'request server' port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the 'master' server filesystem and steal the secret key used to authenticate to the master as root," the researchers said.

"The impact is full remote command execution as root on both the master and all minions that connect to it."

In other words, an attacker can exploit the flaws to call administrative commands on the master server as well as queue messages directly on the master publish server, thereby allowing the salt minions to run malicious commands.

What's more, a directory traversal vulnerability identified in the wheel module — which has functions to read and write files to specific locations — can permit reading of files outside of the intended directory due to a failure to properly sanitize file paths.

Detecting Vulnerable Salt Masters


F-Secure researchers said an initial scan revealed more than 6,000 vulnerable Salt instances exposed to the public internet.

Detecting possible attacks against susceptible masters, therefore, entails auditing published messages to minions for any malicious content. "Exploitation of the authentication vulnerabilities will result in the ASCII strings "_prep_auth_info" or "_send_pub" appearing in data sent to the request server port (default 4506)," it added.

It's highly recommended that Salt users update the software packages to the latest version.

"Adding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider Internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks," the researchers said.

This is a developing story will be updated soon with more details, stay connected

Initial Source: The Hacker News

Comments

Popular posts from this blog

10 Best Forum Software For Webmasters

10 Best Forum Software For Webmasters Do you want to create your online discussion forum or online community where people can discuss about their favorite topics? In this article, you can see 10 best forum software (scripts for setting up discussion forums) that can be used free of cost. Although some scripts are paid but rest of these forum scripts are free to use.You only need to buy hosting space and domain name for your website and after then you can install any of these forum scripts to start your own discussion forums on the internet. Online discussion forums generate huge page views because thousands of people want to join online discussion forums to ask questions or share knowledge. Some of online marketers join forums to discuss about their products with community members. You don't need to acquire any kind of technical skill to run a professional discussion forums because these days, almost all web hosting providers offer one click script installer which h...

|Bypass Symlink on 2013 Server With Different .htaccess and Methods by Sen Haxor |

Hi, Guys,  Please a wonderfull tutorial provided bt Sem;\  Today I gonna Explain how to bypass Symlink on 2013 Server With Different .htaccess and Methods. So let's Get Started :) Note: This method is not applicable for Godaddy, Bluehost, Hostgator and Hostmonstor Servers. For This First You Need the Following Files : 1 -> Sen Haxor CGI Shell 2 -> sen.zip 3 -> passwd-bypass.php 4 -> Turbo Brute force Cpanel 5 - > Port.py First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server . Use the Following Code : Make a php.ini with the following code safe_mode=Off And ini.php with <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo...

How to Hack WhatsApp using just a GIF

A picture is worth a thousand words, but a GIF is worth a thousand pictures. Today, the short looping clips, GIFs are everywhere—on your social media, on your message boards, on your chats, helping users perfectly express their emotions, making people laugh, and reliving a highlight. But what if an innocent-looking GIF greeting with Good morning, Happy Birthday, or Merry Christmas message hacks your smartphone? Well, not a theoretical idea anymore. WhatsApp has recently patched a critical security vulnerability in its app for Android, which remained unpatched for at least 3 months after being discovered, and if exploited, could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. WhatsApp Remote Code Execution Vulnerability The vulnerability, tracked as  CVE-2019-11932 , is a double-free memory corruption bug that doesn't actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that What...