Critical SaltStack RCE Bug (CVSS Score 10) Affects Thousands of Data Centers

saltstack remote code execution vulnerability

Two severe security flaws have been discovered in the open-source SaltStack Sat configuration framework that could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments.

The vulnerabilities were identified by F-Secure researchers earlier this March and disclosed on Thursday, a day after SaltStack released a patch (version 3000.2) addressing the issues, rated with CVSS score 10.

“The vulnerabilities, allocated CVE IDs CVE-2020-11651 and CVE-2020-11652, are of two different classes,” the cybersecurity firm said.

“One being authentication bypass where functionality was unintentionally exposed to unauthenticated network clients, the other being directory traversal where untrusted input (i.e., parameters in network requests) was not sanitized correctly allowing unconstrained access to the entire filesystem of the master server.”

The researchers warned that the flaws could be exploited in the wild imminently. SaltStack is also urging users to follow the best practices to secure the Salt environment.

Vulnerabilities in ZeroMQ Protocol

Salt is a powerful Python-based automation and remote execution engine that’s designed to allow users to issue commands to multiple machines directly.

Built as a utility to monitor and update the state of servers, Salt employs a master-slave architecture that automates the process of pushing out configuration and software updates from a central repository using a “master” node that deploys the changes to a target group of “minions” (e.g., servers) en masse.

The communication between a master and minion occurs over the ZeroMQ message bus. Additionally, the master uses two ZeroMQ channels, a “request server” to which minions report the execution results and a “publish server,” where the master publishes messages that the minions can connect and subscribe to.

According to F-Secure researchers, the pair of flaws reside within the tool’s ZeroMQ protocol.

“The vulnerabilities described in this advisory allow an attacker who can connect to the ‘request server’ port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the ‘master’ server filesystem and steal the secret key used to authenticate to the master as root,” the researchers said.

“The impact is full remote command execution as root on both the master and all minions that connect to it.”

In other words, an attacker can exploit the flaws to call administrative commands on the master server as well as queue messages directly on the master publish server, thereby allowing the salt minions to run malicious commands.

What’s more, a directory traversal vulnerability identified in the wheel module — which has functions to read and write files to specific locations — can permit reading of files outside of the intended directory due to a failure to properly sanitize file paths.

Detecting Vulnerable Salt Masters

F-Secure researchers said an initial scan revealed more than 6,000 vulnerable Salt instances exposed to the public internet.

Detecting possible attacks against susceptible masters, therefore, entails auditing published messages to minions for any malicious content. “Exploitation of the authentication vulnerabilities will result in the ASCII strings “_prep_auth_info” or “_send_pub” appearing in data sent to the request server port (default 4506),” it added.

It’s highly recommended that Salt users update the software packages to the latest version.

“Adding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider Internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks,” the researchers said.