Two critical security vulnerabilities have recently been uncovered in the open-source **SaltStack Salt configuration framework**, posing significant risks to servers operating in both data center and cloud settings. These vulnerabilities could potentially enable threat actors to execute arbitrary code remotely.
The vulnerabilities, disclosed by F-Secure researchers this past Thursday, were identified earlier in March. The revelation came shortly after SaltStack issued a patch (version 3000.2) addressing these issues, which carry a CVSS score of 10, indicating a severity level worthy of immediate attention.
Categorized as CVE-2020-11651 and CVE-2020-11652, these vulnerabilities manifest as two distinct types. The first flaw involves an authentication bypass that inadvertently exposes certain functionalities to unauthenticated network clients. The second vulnerability represents a directory traversal flaw, where inadequately sanitized untrusted input could grant unrestricted access to the master server’s entire filesystem. According to F-Secure, both of these deficiencies could be exploited swiftly in the field.
SaltStack is calling on users to adopt best practices to enhance the security of their Salt environments. The research highlights a warning about the immediacy of these risks and encourages business owners to take proactive measures.
Salt operates on a robust, Python-based automation and remote execution framework enabling users to issue commands to numerous machines directly. Utilizing a master-slave architecture, Salt simplifies tasks related to monitoring and updating server states. Through a central ‘master’ node, it facilitates the deployment of configuration changes and software updates to multiple target ‘minion’ servers.
Communication within Salt occurs over the ZeroMQ message bus, functioning through two dedicated channels: a request server for receiving execution results from minions and a publish server for disseminating messages that minions subscribe to. The vulnerabilities reside within this ZeroMQ protocol.
F-Secure researchers underscored that an attacker gaining access to the request server could circumvent authentication and authorization controls, enabling them to send arbitrary control messages or manipulate files throughout the server’s filesystem. This would result in complete remote command execution as root, potentially affecting both the master and all connected minions.
Moreover, the directory traversal vulnerability tied to the wheel module—responsible for reading and writing files—can lead to unauthorized file access beyond intended directories due to inadequate input sanitation.
The research identified over 6,000 vulnerable Salt instances publicly available on the internet. To mitigate risks, businesses must audit their systems and monitor published messages for any signs of malicious activity. Specific indicators such as the ASCII strings “_prep_auth_info” or “_send_pub” in data to the request server port may signal exploitation attempts.
In light of these vulnerabilities, it is imperative that Salt users promptly update their software to the latest versions to minimize risks. Implementing network security controls that restrict access to the Salt master’s default ports (4505 and 4506) would further enhance system security, particularly as the current authentication and authorization mechanisms do not adequately protect against threats from hostile environments.
This incident highlights not only the necessity for immediate action but also the importance of continuous vigilance in cybersecurity practices to safeguard against evolving threats. Business owners are encouraged to remain informed and proactive in their defense strategies, as the stakes in cybersecurity continue to escalate.