Security researchers have discovered critical vulnerabilities in SaltStack’s Salt management framework that allows an attacker to execute code remotely with root privileges. This could see hackers hijack servers to mine for cryptocurrency or install backdoors to carry out more advanced attacks, such as ransomware or the theft of confidential data.

Salt, a python-based, open source framework, is used to monitor and update data centre servers and is popular among enterprises. The software is a key part of SaltStack’s – the company’s – product offering. It allows IT professionals to carry out tasks remotely, but flaws discovered by consultants at Finnish cybersecurity firm F-Secure in the Salt management framework show it is vulnerable to a remote code execution attack.

The vulnerabilities have been given the highest score – 10 – in the Common Vulnerability Scoring System.

Salt consists of a ‘master’ server and ‘minion’ agents that carry out tasks and collect data for the system. The first vulnerability, CVE-2020-11651, takes advantage of a “ClearFuncs” flaw to process unauthenticated requests and queue messages that cause the minions to “run arbitrary commands as root”.

The researchers also discovered that ClearFuncs could be exploited to return the “root key”.

In order to combat the coronavirus, would you be happy to use an app that:

View Results

Loading ... Loading ...

“This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master,” the researchers note.

The second vulnerability, CVE-2020-11652, could see an attacker take advantage of a non-canonicalised directory path. If exploited, it could result in the “reading of files outside of the intended directory”.

More technical details about the vulnerabilities can be found on F-Secure’s blog.

SaltStack vulnerability: “Patch by Friday or compromised by Monday”

An F-Secure scan revealed that 6,000 Salt instances with the vulnerability were connected to the internet.

“I was expecting the number to be a lot lower,” said F-Secure Principal Consultant Olle Segerdahl, one of the researchers that discovered the vulnerability.

“There’s not many reasons to expose infrastructure management systems, which is what a lot of companies use Salt for, to the internet. When new vulnerabilities go public, attackers always race to exploit exposed, vulnerable hosts before admins patch or hide them.

“So if I were running one of these 6,000 masters, I wouldn’t feel comfortable leaving work for the weekend knowing it’s a target.”

3 Things That Will Change the World Today

While F-Secure found no evidence that the vulnerability has been exploited, its researchers note that “lack of suspicious jobs should not be interpreted as absence of exploitation”.

“Exploitation is trivial,” Segerdahl told Verdict. “Anyone with some python coding experience will be able to produce a 100% reliable exploit in very little time.

“The amount of exposed vulnerable hosts is what sets this one apart from previous disclosures. 6,000+ salt masters exposed on the public internet, each one controlling who knows how many minions. This large exposure along with the ease of automatically exploiting all exposed instances at once is pretty unusual.”

F-Secure discovered the SaltStack vulnerability during a client engagement mid-March. The vulnerability affects those running Salt version 3000.1 and earlier.

SaltStack has since rolled out a patch in release 3000.2 and is encouraging Salt users to turn on its auto-update feature to ensure protection.

In a statement posted on GitHub last week, SaltStack warned users to “ensure Salt masters are not exposed to the internet” while it rolled out a fix and that “only authorised systems can connect to them”.

“Patch by Friday or compromised by Monday,” said Segerdahl. “That’s how I’d describe the dilemma facing admins who have their Salt master hosts exposed to the internet.”

Alex Peay, SVP, product and marketing at SaltStack, said: “A critical vulnerability was discovered in Salt Master versions 2019.2.3 and Salt 3000 versions 3000.1 and earlier. The vulnerability occurs if a Salt Master is exposed to the open internet.

“Upon notification, SaltStack took immediate action to remediate the vulnerability, develop and issue patches, and communicate to our customers about the affected versions so they can prepare their systems for update. As the primary maintainers of the Salt Open Project, trusted by the world’s largest businesses to automate digital infrastructure operations and security, we take this vulnerability and the security of our platform very seriously.”

More information from SaltStack about the vulnerabilities can be found here.


Read more: Ten-year Chinese hacking operation targets Linux servers