Alert - SaltStack Vulnerabilities Actively Exploited

Number: AL20-015
Date: 5 May 2020

AUDIENCE

This Alert is intended for IT professionals and managers of notified organizations. Recipients of this information may redistribute it to appropriate audiences.

PURPOSE

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

OVERVIEW

On 1 May 2020 SaltStack released v3000.2 and v2019.2.4 of its open source Salt product to address two critical vulnerabilities that can result in remote command execution as root. Salt is a Python-based management framework often used in data centres and cloud servers to centrally monitor and update enterprise systems.

There are reports of vulnerable Salt systems being actively exploited in the wild, including the malicious installation of unauthorized crypto-mining software.

DETAILS

Servers being managed by Salt run a “minion” agent and connect back to a central “master” server to both report their status and retrieve update messages to act on. The master server listens for the status reports on TCP port 4505 and publishes tasking commands for the managed servers to process on TCP port 4506 (both default ports).

Exploitation is possible because of two separate vulnerabilities. The first, CVE-2020-11651, is an authentication bypass that unintentionally allows unauthenticated network access. The second, CVE-2020-11652, is a directory traversal that permits access to the entire server filesystem.

Successful exploitation of vulnerable systems is possible when the 2 ports used by the master server are exposed to the Internet and unauthorized actors can connect to them.

SUGGESTED ACTION

It is recommended that administrators update their installations to the latest, patched version. SaltStack also recommends installs be configured to automatically retrieve updates from the SaltStack repository server.

Network configurations should be examined to ensure that administrative ports for the Salt servers are not exposed to the Internet. Additional hardening techniques are noted in the below references.

REFERENCES

SaltStack Announcement:
https://help.saltstack.com/hc/en-us/articles/360043056331-New-SaltStack-Release-Critical-Vulnerability

Salt Hardening:
https://docs.saltstack.com/en/latest/topics/hardening.html

F-Secure Labs Advisory:
https://labs.f-secure.com/advisories/saltstack-authorization-bypass

 

NOTE TO READERS
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment.  We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

The Cyber Centre can be contacted at:
Email: contact@cyber.gc.ca
Toll Free: 1-833-CYBER-88 (1-833-292-3788)

Date modified: