Security advisories | May 04, 2020

SaltStack Vulnerabilities Exploited

THE THREAT

On April 30th, 2020, cybersecurity firm F-Secure announced two major vulnerabilities affecting the "Salt" management framework; and as of May 2nd, 2020, the vulnerabilities were exploited by threat actors in the wild [1]. Salt is a widely used configuration tool created by the opensource project SaltStack. If exploited. the vulnerabilities allow for an unauthenticated threat actor to perform remote code execution with root permissions on affected devices. After performing a business impact review, all organizations using SaltStack are highly recommended to apply security patches.

What we’re doing about it

  • Detecting vulnerability through MVS (formerly esRECON) plugins
  • Tracking Indicators of Compromise (IoCs) relating to attacks exploiting the vulnerabilities
  • Detecting indicators associated with real world attacks with esNETWORK

What you should do about it

  • Apply the official SaltStack security patches (version 3000.2 and 2019.2.4) [2]
  • The released patch will break the publish module’s runner method due to a typo in the patch [3]
  • Adding network security controls that restrict access to the salt master (ports 4505 and 4506) to known minions or block the wider Internet.

Additional information

The vulnerabilities stem from the default communication protocol, ZeroMQ, used in Salt. There are two separate vulnerabilities that attackers can exploit in unison to allow for unauthenticated remote code execution on the master and minion agents on Salt managed systems.  CVE-2020-11651 allows for authentication bypass, while CVE-2020-11652 is used for directory traversal. 

As of April 30th, 2020, F-Secure was able to identify over 6,000 vulnerable instances exposed to the public which could be exploited. A recent report indicates that these vulnerabilities are actively being exploited; threat actors used the two vulnerabilities to breach servers related to core infrastructure for the mobile operating system LineageOS [4].

References:

[1] https://labs.f-secure.com/advisories/saltstack-authorization-bypass

[2] https://repo.saltstack.com/

[3] https://docs.saltstack.com/en/latest/topics/releases/3000.2.html

[4] https://www.zdnet.com/article/hackers-breach-lineageos-servers-via-unpatched-vulnerability/