Critical SaltStack vulnerability affects thousands of datacentres – ComputerWeekly.com

A series of critical vulnerabilities in SaltStacks open source Salt remote task and configuration framework will let hackers breeze past authentication and authorisation safeguards to take over thousands of cloud-based servers if left unpatched.

Salt is used in infrastructure, network and security automation solutions and is widely used to maintain datacentres and cloud environments. The framework comprises a master server acting as a central repository, with control over minion agents that carry out tasks and collect data.

The two vulnerabilities, which are assigned designations CVE-2020-11651 and CVE-2020-11652, were uncovered by F-Secure researchers in March 2020 while working on a client engagement.

They affect all versions of Salt up to 3000.1, and are considered so severe that they carry a Common Vulnerability Scoring System (CVSS) rating of 10, the highest possible.

Successfully exploited, they enable attackers to execute code remotely with root privileges on Salt master repositories, meaning they could, for example install backdoors into systems, carry out ransomware attacks, or take over systems to mine cryptocurrencies. F-Secure said it had already found 6,000 such repositories openly vulnerable on the public internet.

F-Secure principal consultant Olle Segerdahl said this meant the vulnerabilities were particularly dangerous and urged Salt users to download two new patches versions 3000.2 and 2019.2.4 that were issued by SaltStack on 29 April 2020, prior to the co-ordinated disclosure.

Patch by Friday or compromised by Monday, said Segerdahl. Thats how Id describe the dilemma facing admins who have their Salt master hosts exposed to the internet.

Patch by Friday or compromised by Monday thats how Id describe the dilemma facing admins who have their Salt master hosts exposed to the internet Olle Segerdahl, F-Secure

Segerdahl said the 6,000 Salt masters he found during the course of his research, which are popular in environments such as Amazon Web Services (AWS) and Google Cloud Platform (GCP), were of particular concern.

I was expecting the number to be a lot lower. There are not many reasons to expose infrastructure management systems, which is what a lot of companies use Salt for, to the internet, he explained.

When new vulnerabilities go public, attackers always race to exploit exposed, vulnerable hosts before admins patch or hide them. So if I were running one of these 6,000 masters, I wouldnt feel comfortable leaving work for the weekend knowing its a target.

Even though the publicly accessible Salt masters are highly at risk of exploitation, Segerdahl added that hosts hidden from the internet could still be exploited easily if attackers have already accessed their target organisations network in some other manner.

Organisations using Salt should take advantage of SaltStacks automated update capabilities to make sure their systems are patched as soon as possible. Those with exposed Salt hosts can use additional controls to restrict access to Salt master ports 4505 and 4506 on default configurations or at the very least block them from the public internet. SaltStacks website carries further guidance on how to do this.

Segerdahl said that looking on the bright side, he had found no evidence or reports of anyone exploiting the vulnerabilities in real-world attacks although it is very important to note that following disclosure this will likely change in short order.

F-Secure pointed out that any reasonably competent hacker should be able to create a 100% reliable exploit for the vulnerabilities within the next 24 hours due to this, the firm has not provided any proof-of-concept exploit code, as this risks harming Salt users who are slow to patch.

It is also possible for Salt users to detect attacks exploiting the vulnerabilities, said Segerdahl. Concerned organisations can and maybe should search the master host systems for any signs of intrusion the Salt master repository records scheduled jobs which defenders can examine.

Further details on the vulnerabilities can be found in F-Secure Labs advisory notice.

Excerpt from:
Critical SaltStack vulnerability affects thousands of datacentres - ComputerWeekly.com

Related Post

Comments are closed.