icetray - Fotolia

SaltStack discloses critical vulnerabilities, urges patching

The SaltStack vulnerabilities, disclosed Tuesday, allow remote attackers to execute arbitrary code on affected installations of the popular open source software.

SaltStack disclosed three new vulnerabilities, two of which are assessed to be critical, and is urging users to patch immediately.

In an advisory Tuesday, the open source organization announced it released a security update to Salt to address the vulnerabilities, listed as CVE-2020-16846, CVE-2020-17490 and CVE-2020-25592. The vulnerabilities impact Salt versions 3002 and earlier. The two critically rated flaws affect any users running the Salt API. In the case of CVE-2020-16846, a user could use shell injections with the Salt API using the SSH client, while CVE-2020-25592 allows Salt-netapi to improperly validate credentials and tokens.

The lower-rated vulnerability, CVE-2020-17490, affects any minions or masters that previously used the create_ca, create_csr and create_self_signed_cert functions in the TLS module. The advisory "strongly" recommended that users prioritize the update.

While CVE-2020-16846 and CVE-2020-17490 were discovered and submitted by "KPC" of Trend Micro Zero Day Initiative (ZDI), the advisory does not say how CVE-2020-25592 was found. Dustin Childs, communications manager at Trend Micro's ZDI, said the organization reported it to SaltStack privately in late August. "They had 120 days from that point to develop a fix. They released the update once they developed a patch."

However, BleepingComputer reported discrepancies in the disclosure timeline. Specifically, information about CVE-2020-16846 and a software fix were posted on GitHub.

In addition, SaltStack issued an advisory last week stating they were going to issue the advisory about these three vulnerabilities on Tuesday. "Given the critical nature of the vulnerability, we are advising all users to quickly apply the CVE release as soon as the packages are available," Alex Peay, director of Salt product management, wrote in the advisory.

SaltStack has not responded to requests for comment.

According to Childs, these vulnerabilities allow remote attackers to execute arbitrary code on affected Salt installations.

"No authentication is required to exploit the bugs. The specific flaw exists within the rest_cherrypy module. When parsing certain parameters, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage these vulnerabilities to execute code in the context of the salt-api process," he said.

Scott Caveza, research engineering manager at Tenable, said the vendor has not observed any exploitation in the wild; however, a Shodan search revealed over six thousand vulnerable Salt Master nodes.

There have been recent instances where SaltStack's disclosed vulnerabilities have been abused. For example, in May two critical vulnerabilities found and patched in SaltStack's software, were abused by threat actors to breach several organizations unpatched networks and systems.

The vulnerabilities, which were first discovered by F-Secure in March, allowed an unauthorized individual who can connect to a Salt installation's "request server" port to circumvent any authorization requirements or access controls. While exploitation wasn't immediate, threat actors took advantage two months later, impacting several technology organizations.

"These updates are reminiscent of what was observed in April, where two remotely exploitable vulnerabilities were patched by SaltStack. Only days after the disclosure of those vulnerabilities, active exploitation was observed as well as proof-of-concept (PoC) scripts released," Caveza said in an email to SearchSecurity. "In what feels like déjà vu, the recent advisory from SaltStack again includes two vulnerabilities that can be exploited by remote, unauthenticated attackers. While we have not observed exploitation of these new CVEs, with over 6,000 instances of Salt Master nodes currently internet-facing on Shodan, and given threat actors' previous interest, we do see potential for active exploitation and it's imperative that administrators apply these updates as soon as possible."

Dig Deeper on Risk management