Proof of concept code published for latest Saltstack CVE: Don't be an update laggard • The Register
Proof of concept code published for latest Saltstack CVE: Don't be an update laggard
Any user could become root, warns Immersive Labs researcher
Gareth Corfield Wed 3 Mar 2021 // 16:47 UTC SHARE
Proof of concept code has been published for a vulnerability in popular data centre security management tool Saltstack, which was discovered after a developer at Immersive Labs found a privilege escalation bug allowing any old user to become root.
SaltStack offers open-source, Python-based automation tools and was acquired by VMware in October last year.
Salt and pepper
Last year Salt patched two CVEs – CVE-2020-11651 and CVE-2020-11652 – after researchers from F-Secure spotted an authentication bypass and a directory traversal vuln, both of which were patched at the time. Famously, the combo exposed those with Salt installations to complete control by an attacker.
Systems that were not set to automatically update from SaltStack's repo seemingly included Google-free Android-based LineageOS, online publisher Ghost and even slinger of SSL/TLS certificates DigiCert which were all hit last year soon after the vulns were discovered. A scan by F-Secure at the time found over 6,000 instances were exposed to the public internet.
Later last year, the outfit patched three bugs in its code – CVE-2020-16846, CVE-2020-17490, and CVE-2020-25592 - two of them seemingly critical.
The latest CVE is a command injection flaw leading to the priv-esc flaw, according to Immersive Labs, whose Matt Rollings found the vuln.
Numbered CVE-2020-28243, the bug has a CVSSv3.0 rating of 7.0. Not only does it affect all versions of Salt between 2016.3.0rc2 and 3002.2, but it also “could be performed from within a container to gain command execution as root on the host machine,” as Rollings warned.
window
More Salt in their wounds: DigiCert hit as hackers wriggle through (patched) holes in buggy config tool
READ MORE
“This allowed any local user to escalate their privileges to root, provided they were able to create files on the minion in a directory that was not explicitly forbidden,” wrote Rollings in a blog post with his findings.
Salt runs through a master-minion setup. Minions receive and execute commands from the master Salt device, which is a server that issues commands to the minions connected to it.
Minions occasionally summon a process called restartcheck. Crafted process names could be fed to restartcheck. This can be done “when the process has open file descriptors associated with (deleted) at the end of a filename” as Rollings warned, adding: “Note, the leading space is required for the injection to function.”
The Salt Project itself patched the vuln in February, at the time warning: “In the recent past, we have gone above and beyond our lifecycle policy in good faith to fix critical issues in versions no longer supported. Going forward, this will be the exception and not standard practice.”
Proof of concept code for the exploit has also been published on Github, meaning orgs using Saltstack really should update it immediately if they haven’t already done so.
Any user could become root, warns Immersive Labs researcher
Gareth Corfield Wed 3 Mar 2021 // 16:47 UTC SHARE
Proof of concept code has been published for a vulnerability in popular data centre security management tool Saltstack, which was discovered after a developer at Immersive Labs found a privilege escalation bug allowing any old user to become root.
SaltStack offers open-source, Python-based automation tools and was acquired by VMware in October last year.
Salt and pepper
Last year Salt patched two CVEs – CVE-2020-11651 and CVE-2020-11652 – after researchers from F-Secure spotted an authentication bypass and a directory traversal vuln, both of which were patched at the time. Famously, the combo exposed those with Salt installations to complete control by an attacker.
Systems that were not set to automatically update from SaltStack's repo seemingly included Google-free Android-based LineageOS, online publisher Ghost and even slinger of SSL/TLS certificates DigiCert which were all hit last year soon after the vulns were discovered. A scan by F-Secure at the time found over 6,000 instances were exposed to the public internet.
Later last year, the outfit patched three bugs in its code – CVE-2020-16846, CVE-2020-17490, and CVE-2020-25592 - two of them seemingly critical.
The latest CVE is a command injection flaw leading to the priv-esc flaw, according to Immersive Labs, whose Matt Rollings found the vuln.
Numbered CVE-2020-28243, the bug has a CVSSv3.0 rating of 7.0. Not only does it affect all versions of Salt between 2016.3.0rc2 and 3002.2, but it also “could be performed from within a container to gain command execution as root on the host machine,” as Rollings warned.
window
More Salt in their wounds: DigiCert hit as hackers wriggle through (patched) holes in buggy config tool
READ MORE
“This allowed any local user to escalate their privileges to root, provided they were able to create files on the minion in a directory that was not explicitly forbidden,” wrote Rollings in a blog post with his findings.
Salt runs through a master-minion setup. Minions receive and execute commands from the master Salt device, which is a server that issues commands to the minions connected to it.
Minions occasionally summon a process called restartcheck. Crafted process names could be fed to restartcheck. This can be done “when the process has open file descriptors associated with (deleted) at the end of a filename” as Rollings warned, adding: “Note, the leading space is required for the injection to function.”
The Salt Project itself patched the vuln in February, at the time warning: “In the recent past, we have gone above and beyond our lifecycle policy in good faith to fix critical issues in versions no longer supported. Going forward, this will be the exception and not standard practice.”
Proof of concept code for the exploit has also been published on Github, meaning orgs using Saltstack really should update it immediately if they haven’t already done so.
