A series of critical vulnerabilities in SaltStacks open source Salt remote task and configuration framework will let hackers breeze past authentication and authorisation safeguards to take over thousands of cloud-based servers if left unpatched.
Salt is used in infrastructure, network and security automation solutions and is widely used to maintain datacentres and cloud environments. The framework comprises a master server acting as a central repository, with control over minion agents that carry out tasks and collect data.
The two vulnerabilities, which are assigned designations CVE-2020-11651 and CVE-2020-11652, were uncovered by F-Secure researchers in March 2020 while working on a client engagement.
They affect all versions of Salt up to 3000.1, and are considered so severe that they carry a Common Vulnerability Scoring System (CVSS) rating of 10, the highest possible.
Successfully exploited, they enable attackers to execute code remotely with root privileges on Salt master repositories, meaning they could, for example install backdoors into systems, carry out ransomware attacks, or take over systems to mine cryptocurrencies. F-Secure said it had already found 6,000 such repositories openly vulnerable on the public internet.
F-Secure principal consultant Olle Segerdahl said this meant the vulnerabilities were particularly dangerous and urged Salt users to download two new patches versions 3000.2 and 2019.2.4 that were issued by SaltStack on 29 April 2020, prior to the co-ordinated disclosure.
Patch by Friday or compromised by Monday, said Segerdahl. Thats how Id describe the dilemma facing admins who have their Salt master hosts exposed to the internet.
Patch by Friday or compromised by Monday thats how Id describe the dilemma facing admins who have their Salt master hosts exposed to the internet Olle Segerdahl, F-Secure
Segerdahl said the 6,000 Salt masters he found during the course of his research, which are popular in environments such as Amazon Web Services (AWS) and Google Cloud Platform (GCP), were of particular concern.
I was expecting the number to be a lot lower. There are not many reasons to expose infrastructure management systems, which is what a lot of companies use Salt for, to the internet, he explained.
When new vulnerabilities go public, attackers always race to exploit exposed, vulnerable hosts before admins patch or hide them. So if I were running one of these 6,000 masters, I wouldnt feel comfortable leaving work for the weekend knowing its a target.
Even though the publicly accessible Salt masters are highly at risk of exploitation, Segerdahl added that hosts hidden from the internet could still be exploited easily if attackers have already accessed their target organisations network in some other manner.
Organisations using Salt should take advantage of SaltStacks automated update capabilities to make sure their systems are patched as soon as possible. Those with exposed Salt hosts can use additional controls to restrict access to Salt master ports 4505 and 4506 on default configurations or at the very least block them from the public internet. SaltStacks website carries further guidance on how to do this.
Segerdahl said that looking on the bright side, he had found no evidence or reports of anyone exploiting the vulnerabilities in real-world attacks although it is very important to note that following disclosure this will likely change in short order.
F-Secure pointed out that any reasonably competent hacker should be able to create a 100% reliable exploit for the vulnerabilities within the next 24 hours due to this, the firm has not provided any proof-of-concept exploit code, as this risks harming Salt users who are slow to patch.
It is also possible for Salt users to detect attacks exploiting the vulnerabilities, said Segerdahl. Concerned organisations can and maybe should search the master host systems for any signs of intrusion the Salt master repository records scheduled jobs which defenders can examine.
Further details on the vulnerabilities can be found in F-Secure Labs advisory notice.
- Uncover and overcome cloud threat hunting obstacles - TechTarget - May 26th, 2020
- This extraordinary motherboard is being used by server CPU scavengers - TechRadar India - May 26th, 2020
- VMware reduces hardware footprint of its shiny new K8s-on-vSphere toys - The Register - May 26th, 2020
- How Zoom plans to better secure meetings with end-to-end encryption - TechRepublic - May 26th, 2020
- VMware, Dell level up their combined on-prem cloud with much more computing grunt - The Register - May 26th, 2020
- Accelerator Card Market Will Witness Substantial Growth in the Upcoming years by 2027 - WaterCloud News - May 26th, 2020
- Uber India deploys Canon information management solution- Therefore for operational workflow - CRN.in - May 26th, 2020
- Potential Impact of COVID-19 on Research Report prospects the Server Backup Software Market - Cole of Duty - May 26th, 2020
- Do You Know Where Your Servers Come From? Heres Why Securing The Supply Chain Matters - Forbes - May 26th, 2020
- Live analytics without vendor lock-in? It's more likely than you think, says Redis Labs - The Register - May 26th, 2020
- Latest Forecast on Government Cloud Market Emerging Industries, Growth, Remarkable Developments and Key Players| Global Future Prospects 2025 - 3rd... - May 26th, 2020
- Cloud Accounting Software Market Research Report Comprising Development Trends 2020, Key Manufacturers and Competitive Landscape to 2025 - Cole of... - May 26th, 2020
- Gartner: How and why cloud providers need to support their customers through Covid-19 - Cloud Tech - May 22nd, 2020
- The Connection Between Cloud Service Providers and Cyber Resilience - Security Intelligence - May 22nd, 2020
- Google And Dell Pave The Way For File Data In The Cloud - The Next Platform - May 22nd, 2020
- Veeam teams up with Kasten for containerised app backup Blocks and Files - Blocks and Files - May 22nd, 2020
- Hybrid cloud: The key to surviving and thriving during the pandemic - WTOP - May 22nd, 2020
- Global Bare Metal Cloud Market : Industry Analysis and Forecast... - Azizsalon News - May 22nd, 2020
- Exabeam sees more than half of new and add-on recurring revenue from cloud offering - Help Net Security - May 22nd, 2020
- OnShip Brings its Parcel & Freight Shipping Transportation Management Platform to the Cloud with Cameyo - Supply and Demand Chain Executive - May 22nd, 2020
- 'What is Dropbox?': How to use the cloud-based file-storage service for collaboration - Business Insider - Business Insider - May 22nd, 2020
- Couchbase Announces $105 Million Equity Investment Led by GPI Capital to Fuel Its Next Phase of Growth and Cloud Innovation - GlobeNewswire - May 22nd, 2020
- The Register calls for aid, and Microsoft's Rohan Kumar will answer... our questions about SQL Edge and Azure Synapse - The Register - May 22nd, 2020
- What are the different types of cloud load balancing? - TechTarget - May 22nd, 2020
- How data centers will become automated and self-reliant - TechHQ - May 22nd, 2020
- Masayoshi Son says AWS and Microsoft will buy more chipsets from the SoftBank Vision Fund-backed Arm, and not - Business Insider India - May 22nd, 2020
- Chinese IPOs hang in the balance as Senate and Nasdaq change rules - Data Economy - May 22nd, 2020
- Portworx upbeat on container storage revenues Blocks and Files - Blocks and Files - May 22nd, 2020
- New study Global Managed Servers Market 2019 | Growth Opportunities, Investment Feasibility, Market Share And Forecast 2025 - Cole of Duty - May 22nd, 2020
- New Study Finds that IT Pros Are Worried About Corporate Data Security - Database Trends and Applications - May 19th, 2020
- Get your head in the cloud: why cloud is crucial for sustainable business - New Zealand News Centre - Microsoft - May 19th, 2020
- The Global Public Cloud Services Market is expected to grow by $ 221.84 billion during 2020-2024 progressing at a CAGR of 19% during the forecast... - May 19th, 2020
- Traditional or Cloud Antivirus Solutions Which is Best? - PC Tech Magazine - May 19th, 2020
- Moving beyond Covid-19: what does the future of work look like? - ETCIO.com - May 19th, 2020
- AWS unleashes custom Arm processor the Graviton2 in new EC2 M6g instance type - The Register - May 14th, 2020
- Pandemic Shows The Value Of The Public Cloud - The Next Platform - May 14th, 2020
- Jigsaw24 Expands Via24 Cloud Services With Deployment of EditShares EFSv - Broadcasting & Cable - May 14th, 2020
- The age of the ethical cloud is green and for everyone Intelligent CIO Europe - Intelligent CIO Africa - May 14th, 2020
- The Future of Artificial Intelligence: Edge Intelligence - Analytics Insight - May 14th, 2020
- How cloud is accelerating the growth of digital payments - TechHQ - May 14th, 2020
- Live Webinar Preview: Commands & Custom Scripting for Remote Application Installs - Security Boulevard - May 14th, 2020
- Private Cloud Server Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Swarm Theory: Lessons from nature in the advancement of robotics - Techerati - May 14th, 2020
- What are the Differences Between IaaS, PaaS, and SaaS? - stopthefud - May 14th, 2020
- Zoom Settles with NY AG over Privacy and Security Concerns - Security Magazine - May 14th, 2020
- Codestone helps shipping agent to cloud-based infrastructure - Codestone - May 14th, 2020
- Server sales went through the roof in the first three months of 2020. Enjoy it while it lasts, Dell, HPE, and pals - The Register - May 14th, 2020
- Global Cloud Infrastructure Testing Market Research Report 2020 By Size, Share, Trends and Analysis up to 2025. - Cole of Duty - May 14th, 2020
- Digital Harmonic to Bring its Powerful AI-Driven Image and Video Enhancing Solution to the Federal Market - Business Wire - May 14th, 2020
- Sorry if this seems latency obvious, but... you can always scale out your storage with end-to-end NVMe - The Register - May 14th, 2020
- The role of the data centre in the future of Data Management - Data Economy - May 14th, 2020
- We'd love to come up with a Harbor container ship pun but we're too corona-frazzled. Version 2.0 is out - The Register - May 14th, 2020
- Edge Intelligence: The Next Wave of AI - EE Times India - May 14th, 2020
- Patch by Friday or compromised by Monday: Salt exploit exposes Infrastructure-as-Code tools threat - SC Magazine UK - May 6th, 2020
- Serverless Exists In The Cloud and Both Need Servers - Computer Business Review - May 6th, 2020
- Analysis on Impact of COVID-19- Rugged Servers Market 2020-2024 | Increased Adoption of Cloud Applications to Boost Growth | Technavio - Business Wire - May 6th, 2020
- Privitar Announces New Native Integration With Google Cloud Platform - Business Wire - May 6th, 2020
- Industrial 5G and the Mobile Edge - ARC Viewpoints - May 6th, 2020
- Neutrino Energy Will Power The Future's Internet Consumption - Forbes India - May 6th, 2020
- Norton 360 Deluxe review: Comprehensive security solution with built-in VPN - Business Standard - May 6th, 2020
- Microsoft Announces the General Availability of Windows Server Containers, and More for AKS - InfoQ.com - May 6th, 2020
- Protecting the Cloud: Securing access to public cloud accounts - Naked Security - May 6th, 2020
- Cloud Act is not a sovereign aggressive overreach by the US - News24 - May 6th, 2020
- How to Set Up pCloud Drive in 2020 - Cloudwards - May 6th, 2020
- What public clouds are coronavirus-themed threats hiding in? - ARNnet - May 6th, 2020
- In the cloud, who can hear your developers scream? - The Register - May 4th, 2020
- Unlock The Full Value Of SAP Hana In The Cloud With IBM Power - E3zine.com - May 4th, 2020
- Hot On The Heels Of Mellanox, Nvidia Snaps Up Cumulus Networks - The Next Platform - May 4th, 2020
- AWS Cloud Formation Market Countries Analysis Report 2020 by Industry Size, Share, Growth Rate and Revenue Aminet Market Reports - amitnetserver - May 4th, 2020
- Review hybrid cloud offerings that bring the cloud on premises - TechTarget - May 4th, 2020
- Gmail and Outlook sitting in a tree, not t-a-l-k-i-n-g to me or thee - The Register - May 4th, 2020
- The attacker and the data centre - ITProPortal - May 4th, 2020
- Three things in life are certain: Death, taxes, and cloud-based IoT gear bricked by vendors. Looking at you, Belkin - The Register - April 29th, 2020
- AMD and Samsung's Earnings Point to a Cloud Server Spending Boom - TheStreet - April 29th, 2020
- Organizations are Increasing IT budgets for AI, Cloud, and Security - EnterpriseTalk - April 29th, 2020
- It's your last chance to get this ace VPN deal with 73% off and free cloud storage - TechRadar India - April 29th, 2020
- Atos to Deliver Next Generation Cloud Services to the State of Texas - AiThority - April 29th, 2020
- In the first quarter, Google Cloud's revenue is up 52% year-over-year - FierceTelecom - April 29th, 2020
- Experts warn there are still legal ways the US could obtain COVIDSafe data - ABC News - April 29th, 2020
- 14 ways AWS beats Microsoft Azure and Google Cloud - ARNnet - April 29th, 2020