CVE-2020-11651, CVE-2020-11652: Critical Salt Framework Vulnerabilities Exploited in the Wild

On April 30, F-Secure Labs published an advisory for two vulnerabilities in the open-source and commercial Salt management framework, which is used in data centers and cloud environments as a configuration, monitoring, and update tool. Salt utilizes a “master” server that controls “minion” agents that collect data for the system and carries out tasks. All versions prior to 2019.2.4 and 3000.2 are vulnerable.

CVE-2020-11651 is an authentication bypass in two methods of the ClearFuncs class. The first method, _send_pub(), is unintentionally exposed, allowing an attacker to queue messages on the master server that can be used to cause minion agents to execute arbitrary code. The second method, _prep_auth_info() allows for the remote execution of commands on the master server as an attacker can obtain the “root key,” which is used to authenticate commands on the master server from a local machine.

CVE-2020-11652 is a directory traversal security flaw in the “wheel” module that is used to read and write files. The get_token() method of the salt.tokens.localfs allows for the insertion of “..” path elements, and in turn the reading of files outside of the intended directory. This occurs due to the failure to correctly sanitize the token input parameter, which is used as a filename with the only limitation being that “the file has to be deserializable by salt.payload.Serial.loads().”

Both of these vulnerabilities are exploitable by a remote, unauthenticated attacker. Combining these two vulnerabilities could result in “full remote command execution as root on both the master and all minions that connect to it" and could be used to configure new resources on cloud instances. F-Secure also noted in their advisory that a “scan revealed over 6,000 instances of this service exposed to the public Internet” and that “any competent hacker will be able to create 100 percent reliable exploits for these issues in under 24 hours."

For more information, including plugin availability, please visit our blog.