leowolfert - Fotolia

Critical SaltStack vulnerabilities exploited in several data breaches

SaltStack patched two critical vulnerabilities in its software last week, but hackers used the flaws over the weekend to breach several unpatched networks and systems.

Several technology organizations have reported data breaches stemming from two critical SaltStack vulnerabilities that were first disclosed last week.

SaltStack's infrastructure automation and configuration management software, which used to maintain cloud servers and data centers, is built on the company's open source Salt framework. Last Thursday, F-Secure publicly disclosed two critical remote code execution vulnerabilities in the Salt framework -- CVE-2020-11651, an authentication bypass flaw, and CVE-2020-11652, a directory traversal bug; both flaws were patched in release 3000.2 of the framework, which SaltStack released the day before the disclosure.

The SaltStack vulnerabilities, which were first discovered by F-Secure researchers in March, allow an unauthorized individual who can connect to a Salt installation's "request server" port to circumvent any authorization requirements or access controls. As a result, an attacker can gain root control of both the "Master" Salt installation and the "minions" or agents that connect to it, according to F-Secure.

"A scan revealed over 6,000 instances of this service exposed to the public internet," F-Secure said in its advisory. "Getting all of these installs updated may prove a challenge as we expect that not all have been configured to automatically update the salt software packages."

F-Secure did not publish any proof-of-concept exploit code for the SaltStack vulnerabilities because of the "reliability and simplicity of exploitation." The cybersecurity vendor also warned that attacks were imminent. "We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours," the advisory said.

Exploitation in the wild didn't occur quite that quickly, but it was close.

The data breaches

Several technology organizations were breached over the weekend in attacks that exploited the SaltStack vulnerabilities.

On May 2, LineageOS, an open source Android distribution, was breached. The organization announced on Twitter that "an attacker used a CVE in our saltstack master to gain access to our infrastructure" but that signing keys, builds and source code were unaffected. A timeline of the attack with additional details was documented on the LineageOS status page.

Also, on May 2, certificate authority DigiCert was breached. According to a public post in the Mozilla security group forum by Jeremy Rowley, executive vice president of product at DigiCert, a key used for signed certificate timestamps (SCTs) on the company's Certificate Transparency (CT) 2 log server was exposed in the breach. "The remaining logs remain uncompromised and run on separate infrastructure," Rowley wrote in a post on Sunday.

Update: In a statement to SearchSecurity, Rowley said CT2 log server was separated from the rest of DigiCert's network, and therefore no CA systems or other log servers were affected by the intrusion. "The Salt environment was not actually tied to DigiCert’s corporate environment. It was its own segmented environment," he said.

DigiCert announced Monday that it was deactivating the CT2 log server, though it didn't believe the exposed key was used to sign SCTs outside of the CT2 log server. However, as a precaution the company advised other certificate authorities that received DigiCert SCTs after 5 p.m. MDT on May 2 to obtain alternative SCTs.

Software maker Xen Orchestra was also breached over the weekend, according to a company blog post. The company documented the attack timeline, which began at 1:18 a.m. on May 3 when it discovered some parts of its infrastructure were unreachable. After launching a full investigation, Xen Orchestra identified the culprit as a "rogue" Salt minion process for cryptocurrency mining, which was found to be running on some of its VMs, according to the blog.

Xen Orchestra said it was fortunate in that no RPMs or GNU Privacy Guard (GPG) signing keys were affected in the breach, and there was no evidence that customer data or other sensitive information was compromised.

The company admitted it was caught off guard and underestimated the risk of having Salt Masters exposed to the public internet. "Luckily, the initial attack payload was really dumb and not dangerous," Xen Orchestra said in the post. "We are aware it might have been far more dangerous and we take it seriously as a big warning."

Open source blogging platform Ghost became yet another victim, suffering an attack that began at 1:30 a.m. on May 3, according to report on their status page. The organization determined an attacker used the CVEs to gain access to its infrastructure, which affected both Ghost(Pro) sites and Ghost.org billing services. Like Xen-Orchestra, Ghost determined the attackers deployed cryptomining malware on its infrastructure.

"The mining attempt spiked CPUs and quickly overloaded most of our systems, which alerted us to the issue immediately," the company wrote in its update, adding that fixes for the vulnerabilities were implemented. "At this time there is no evidence of any attempts to access any of our systems or data."

Ghost verified that no customer payment card data was affected in the breach, but that all sessions, passwords and keys were being reset and all servers were being reprovisioned as a precaution. In an updated status post on Monday, Ghost said all traces of the cryptomining malware had been eliminated.

The attacks continued after the weekend. Code 42, an IT services firm based in Nantes, France, (not to be confused with Code42, a U.S.-based backup and data protection vendor), took to Twitter Monday to announce its infrastructure was under attack through a "zeroday" in SaltStack. [Editor's note: The SaltStack vulnerabilities were not zero days as they had been patched prior to public disclosure and exploitation in the wild.]

SaltStack issued a statement confirming that attacks had occurred and urging customers to update their software to prevent further breaches and follow best practices to harden their Salt environments.

"Upon learning of the CVE, SaltStack took immediate action to develop and publish patches, and to communicate update instructions to our customers and users," Moe Abdula, senior vice president of engineering at SaltStack, wrote in a blog post. "Although there was no initial evidence the CVE had been exploited, we have confirmed that some vulnerable, unpatched systems have been accessed by unauthorized users since the release of the patches."

Dig Deeper on Data security and privacy