Critical SaltStack vulnerability affects thousands of datacentres
Critical vulnerabilities in the Salt remote task and configuration framework enable hackers to take control of cloud servers and must be patched right away
A series of critical vulnerabilities in SaltStack’s open source Salt remote task and configuration framework will let hackers breeze past authentication and authorisation safeguards to take over thousands of cloud-based servers if left unpatched.
Salt is used in infrastructure, network and security automation solutions and is widely used to maintain datacentres and cloud environments. The framework comprises a ‘master’ server acting as a central repository, with control over ‘minion’ agents that carry out tasks and collect data.
The two vulnerabilities, which are assigned designations CVE-2020-11651 and CVE-2020-11652, were uncovered by F-Secure researchers in March 2020 while working on a client engagement.
They affect all versions of Salt up to 3000.1, and are considered so severe that they carry a Common Vulnerability Scoring System (CVSS) rating of 10, the highest possible.
Successfully exploited, they enable attackers to execute code remotely with root privileges on Salt master repositories, meaning they could, for example install backdoors into systems, carry out ransomware attacks, or take over systems to mine cryptocurrencies. F-Secure said it had already found 6,000 such repositories openly vulnerable on the public internet.
F-Secure principal consultant Olle Segerdahl said this meant the vulnerabilities were particularly dangerous and urged Salt users to download two new patches – versions 3000.2 and 2019.2.4 – that were issued by SaltStack on 29 April 2020, prior to the co-ordinated disclosure.
“Patch by Friday or compromised by Monday,” said Segerdahl. “That’s how I’d describe the dilemma facing admins who have their Salt master hosts exposed to the internet.”
“Patch by Friday or compromised by Monday – that’s how I’d describe the dilemma facing admins who have their Salt master hosts exposed to the internet”
Olle Segerdahl, F-Secure
Segerdahl said the 6,000 Salt masters he found during the course of his research, which are popular in environments such as Amazon Web Services (AWS) and Google Cloud Platform (GCP), were of particular concern.
“I was expecting the number to be a lot lower. There are not many reasons to expose infrastructure management systems, which is what a lot of companies use Salt for, to the internet,” he explained.
“When new vulnerabilities go public, attackers always race to exploit exposed, vulnerable hosts before admins patch or hide them. So if I were running one of these 6,000 masters, I wouldn’t feel comfortable leaving work for the weekend knowing it’s a target.”
Even though the publicly accessible Salt masters are highly at risk of exploitation, Segerdahl added that hosts hidden from the internet could still be exploited easily if attackers have already accessed their target organisation’s network in some other manner.
Organisations using Salt should take advantage of SaltStack’s automated update capabilities to make sure their systems are patched as soon as possible. Those with exposed Salt hosts can use additional controls to restrict access to Salt master ports – 4505 and 4506 on default configurations – or at the very least block them from the public internet. SaltStack’s website carries further guidance on how to do this.
Segerdahl said that looking on the bright side, he had found no evidence or reports of anyone exploiting the vulnerabilities in real-world attacks – although it is very important to note that following disclosure this will likely change in short order.
F-Secure pointed out that any reasonably competent hacker should be able to create a 100% reliable exploit for the vulnerabilities within the next 24 hours – due to this, the firm has not provided any proof-of-concept exploit code, as this risks harming Salt users who are slow to patch.
It is also possible for Salt users to detect attacks exploiting the vulnerabilities, said Segerdahl. Concerned organisations can and maybe should search the master host systems for any signs of intrusion – the Salt master repository records scheduled jobs which defenders can examine.
Misconfigured AWS installations risk billions of records being exposed, damaging organisations’ finances and reputations, but securing Amazon’s storage buckets is a simple matter.
Akamai and AWS are among a group of cloud and content delivery network providers to participate in a global initiative to address the security threats to internet routing systems.
Establish consistent security measures across distributed environments. Automate configuration management and increase monitoring and training to reduce multi-cloud vulnerabilities.
