Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CVE-2020-11651, CVE-2020-11652: Critical Salt Framework Vulnerabilities Exploited in the Wild

Shortly after the public disclosure of critical vulnerabilities in the Salt framework, exploitation attempts were observed, as two open source projects were breached using these flaws

Update 05/04/20: The proof-of-concept section has been updated to reflect the availability of PoC scripts.

Background

On April 30, F-Secure Labs published an advisory for two vulnerabilities in the open-source and commercial Salt management framework, which is used in data centers and cloud environments as a configuration, monitoring, and update tool. Salt utilizes a “master” server that controls agents known as “minions" that collect data for the system and carry out tasks. All versions prior to 2019.2.4 and 3000.2 are vulnerable.

Analysis

CVE-2020-11651 is an authentication bypass in two methods of the ClearFuncs class. The first method, _send_pub(), is unintentionally exposed, allowing an attacker to queue messages on the master server that can be used to cause minion agents to execute arbitrary code. The second method, _prep_auth_info() allows for the remote execution of commands on the master server as an attacker can obtain the “root key,” which is used to authenticate commands on the master server from a local machine.

CVE-2020-11652 is a directory traversal security flaw in the “wheel” module that is used to read and write files. The get_token() method of the salt.tokens.localfs allows for the insertion of “..” path elements, and in turn the reading of files outside of the intended directory. This occurs due to the failure to correctly sanitize the token input parameter, which is used as a filename with the only limitation being that “the file has to be deserializable by salt.payload.Serial.loads().”

Both of these vulnerabilities are exploitable by a remote, unauthenticated attacker. Combining these two vulnerabilities could result in “full remote command execution as root on both the master and all minions that connect to it" and could be used to configure new resources on cloud instances. F-Secure also noted in their advisory that a “scan revealed over 6,000 instances of this service exposed to the public Internet” and that “any competent hacker will be able to create 100 percent reliable exploits for these issues in under 24 hours."

LineageOS breached as active exploitation attempts begin

On May 2, LineageOS, a free and open-source android OS, published a tweet that an attacker used a SaltStack vulnerability to gain access to their infrastructure. LineageOS noted that signing keys, builds and source code were unaffected, but this incident resulted in some downtime. LineageOS says they will continue to update their status here.

On May 3, reports of active exploitation of these vulnerabilities surfaced, with Kevin Breen of Immersive Labs posting to his Twitter feed evidence of attacks against his SaltStack honeypots. Kevin followed up on his original tweet stating that “this was against 3 geographically dispersed honeypots. So its internet-wide scan and exploit“ to run this payload on all of the connected minions rather than the salt master.

Ghost blogging platform breached using these vulnerabilities

On May 3, Ghost, an open-source blogging platform, was a victim of a cyberattack. An investigation was started and is being tracked here. Ghost since confirmed attackers exploited “a critical vulnerability in our server management infrastructure (Saltstack, CVE-2020-11651 CVE-2020-11652)” to breach their systems. They first became aware when the attackers used these vulnerabilities in an attempt to mine cryptocurrency on their servers, resulting in a spike in CPU usage and eventually overloaded their systems.

Proof of concept

F-Secure stated in their advisory they will not be releasing their proof of concept (PoC) for these vulnerabilities. However, several PoC scripts [1, 2, 3, 4] have since been published to GitHub.

Our blog previously referenced a Github gist from Ollie Whitehouse, chief technical officer at NCC Group as a PoC. However, the gist is not a PoC, but rather a list of commands observed post-compromise.

Solution

The SaltStack engineers patched these vulnerabilities in versions 2019.2.4 and 3000.2, which were released on April 29. If it is not possible to patch at this time, it is advised to add “network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider Internet.”

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Get FREE Advanced Support

with purchase of Nessus Professional

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.