SaltStack salt is a Python Based, open-source software. The open-source framework was vulnerable from two points, where the attackers can exploit an arbitrary code in data centres through remove servers (A fix of the vulnerability was released in light of the version 3000.2). F-Secure specialists have found and worked through their research for the exploitation of SaltStack Salt.
Critical vulnerabilities detected in SaltStack Salt
Two vulnerabilities have been discovered in the SaltStack Salt open-source framework that could allow attackers to execute arbitrary code on remote servers in data centres and cloud environments. Vulnerabilities were discovered by F-Secure specialists in March this year and were revealed this week, a day after the fix was released (a version of the framework 3000.2).
The problems received identifiers CVE-2020-11651 and CVE-2020-11652 and a maximum of 10 points in the CVSS vulnerability assessment system. The first is an authentication bypass vulnerability associated with the unintended disclosure of functionality to unauthorized network clients. The second is a directory traversal vulnerability that exists due to insufficient verification of untrusted input data (parameters in network requests). The problem allows you to access the entire file system of the server.
SaltStack Salt is a powerful automation and remote execution engine that allows users to run commands directly on multiple machines. The utility is designed to monitor and update servers and automates the process of sending software updates and configurations from a central repository using a “master node” that massively deploys changes to target servers.
The connection between the master node and the servers is carried out using the ZeroMQ bus. In addition, the “master node” uses two ZeroMQ channels – the “request server”, to which the servers send progress reports, and the “publication server”, where the “master node” publishes messages for the servers.
As experts from F-Secure explained, vulnerabilities affect the ZeroMQ protocol used in SaltStack Salt. With their help, an attacker with access to the “request server” can bypass authentication and authorization and publish arbitrary messages, read and write files in the file system of the “master node” and steal keys for authentication on the “master node” as a superuser. As a result, an attacker can remotely execute commands with superuser privileges on the “master node” and all servers connected to it.