Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CVE-2020-16846, CVE-2020-25592: Critical Vulnerabilities in Salt Framework Disclosed

SaltStack recommends immediate patching after their disclosure of three new vulnerabilities, two of which are rated critical and can be remotely exploited without authentication.

Background

On October 30, SaltStack published a pre-announcement advisory regarding three new vulnerabilities which had been discovered in Salt versions 3002 and earlier. The pre-announcement advisory stated that two of the vulnerabilities were likely to be rated high or critical severity and that updates would be released on November 3. In the November 3 advisory, SaltStack provided additional details about these CVEs and included a strong recommendation to prioritize these updates.

Analysis

CVE-2020-16846 is a critical shell injection vulnerability in the netapi Salt SSH client. According to the advisory, an unauthenticated attacker could use shell injection to execute arbitrary code on the Salt-API via the Salt SSH client. Interestingly, the patch was pushed to SaltStack’s GitHub on August 18th, though it’s not clear why the update and details were only recently disclosed. Based on the patch details, the fix prevents Popen with shell=True in the Salt SSH client.


Image Source: SaltStack Github Repository

CVE-2020-25592 is an improper authentication vulnerability affecting users running the Salt API. Due to a validation issue when calling Salt SSH via the salt-api, an attacker could bypass authentication by simply supplying any value for “eauth” or “token” which would grant them the ability to run commands using Salt SSH.

CVE-2020-17490 is a low severity vulnerability in the SaltStack TLS module affecting any minions or masters which have used the create_ca, create_csr, and create_self_signed_cert functions. According to the information provided, private keys were created with world-readable permissions when these functions were used. The patch corrects this to ensure that private keys are not created with world-readable permissions.

Both CVE-2020-16846 and CVE-2020-17490 are credited to a researcher going by the nickname KPC, who reported these vulnerabilities through Trend Micro’s Zero Day Initiative (ZDI). KPC is also credited with four ZDI IDs which are listed in the upcoming advisories page, though we cannot confirm if those IDs are related to the recently disclosed vulnerabilities.


Image Source: Zero Day Initiative Upcoming Advisories

Ghosts of Vulnerabilities Past

The announcement of these critical vulnerabilities is reminiscent of flaws in the Salt framework disclosed earlier in the year. CVE-2020-11651, an authentication bypass vulnerability, and CVE-2020-11652, a directory traversal vulnerability, were both seen actively exploited just days after their patches were released by SaltStack. With a pre-announcement and advisory from SaltStack both encouraging users to apply these updates quickly, we anticipate attackers will be targeting these flaws and releasing exploits soon.

Over 6,000 publicly accessible Salt Master Nodes

According to data from Shodan, there are over 6,000 Salt master nodes publicly accessible, with a majority found in the United States.


Image Source: Shodan

We anticipate that attackers will likely target these systems in the near future. Therefore, we highly recommend ensuring that these updates are applied as soon as possible.

Proof of concept

At the time this blog post was published, no proof-of-concept (PoC) code was available for any of the vulnerabilities.

Solution

SaltStack has published updates addressing all three of these CVEs. The following is a list of versions which have patches available:

  • 3002.x
  • 3001.x
  • 3000.x
  • 2019.x

The patches available have been released for the following versions:

  • 3002
  • 3001.1, 3001.2
  • 3000.3, 3000.4
  • 2019.2.5, 2019.2.6
  • 2018.3.5
  • 2017.7.4, 2017.7.8
  • 2016.11.3, 2016.11.6, 2016.11.10
  • 2016.3.4, 2016.3.6, 2016.3.8
  • 2015.8.10, 2015.8.13

SaltStack encourages users running older versions of Salt to update to one of the versions listed above prior to applying available patches.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.