openSUSE-SU-2020:1074

https://docs.saltstack.com/en/2017.7/topics/releases/2017.7.8.html

https://docs.saltstack.com/en/latest/topics/releases/2018.3.3.html

[salt-users] 20181024 2017.7.8 Released - Security Advisory

[salt-users] 20181024 2018.3.3 Released - Security Advisory

[debian-lts-announce] 20200728 [SECURITY] [DLA 2294-1] salt security update

USN-4459-1

It was discovered that Salt allows remote attackers to determine which files exist on the server. An attacker could use that to extract sensitive information. (CVE-2018-15750) It was discovered that Salt has a vulnerability that allows an user to bypass authentication. An attacker could use that to extract sensitive information, execute abritrary code or crash the server. (CVE-2018-15751) It was discovered that Salt is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host. (CVE-2019-17361) It was discovered that Salt incorrectly validated method calls and sanitized paths. A remote attacker could possibly use this issue to access some methods without authentication. (CVE-2020-11651, CVE-2020-11652).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Two issues have been found in salt, a remote manager to administer servers.

These issues are related to remote hackers bypassing authentication to execute arbitrary commands and getting informations about files on the server

For Debian 9 stretch, these problems have been fixed in version 2016.11.2+ds-1+deb9u5.

We recommend that you upgrade your salt packages.

For the detailed security status of salt please refer to its security tracker page at: https://security-tracker.debian.org/tracker/salt

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for salt contains the following fixes :

  - Fix for TypeError in Tornado importer (bsc#1174165)

  - Require python3-distro only for TW (bsc#1173072)

  - Update to Salt version 3000: See release notes:
    https://docs.saltstack.com/en/latest/topics/releases/300     0.html

  - Add docker.logout to docker execution module.
    (bsc#1165572)

  - Add option to enable/disable force refresh for zypper.

  - Add publish_batch to ClearFuncs exposed methods.

  - Adds test for zypper abbreviation fix.

  - Avoid segfault from 'salt-api' under certain conditions     of heavy load managing SSH minions. (bsc#1169604)

  - Avoid traceback on debug logging for swarm module.
    (bsc#1172075)

  - Batch mode now also correctly provides return value.
    (bsc#1168340)

  - Better import cache handline.

  - Do not make file.recurse state to fail when msgpack     0.5.4. (bsc#1167437)

  - Do not require vendored backports-abc. (bsc#1170288)

  - Fix errors from unit tests due NO_MOCK and     NO_MOCK_REASON deprecation.

  - Fix for low rpm_lowpkg unit test.

  - Fix for temp folder definition in loader unit test.

  - Fix for unless requisite when pip is not installed.

  - Fix integration test failure for     test_mod_del_repo_multiline_values.

  - Fix regression in service states with reload argument.

  - Fix tornado imports and missing _utils after rebasing     patches.

  - Fix status attribute issue in aptpkg test.

  - Improved storage pool or network handling.

  - loop: fix variable names for until_no_eval.

  - Make 'salt.ext.tornado.gen' to use     'salt.ext.backports_abc' on Python 2.

  - Make setup.py script not to require setuptools greater     than 9.1.

  - More robust remote port detection.

  - Prevent sporious 'salt-api' stuck processes when     managing SSH minions. because of logging deadlock.
    (bsc#1159284)

  - Python3.8 compatibility changes.

  - Removes unresolved merge conflict in yumpkg module.

  - Returns a the list of IPs filtered by the optional     network list.

  - Revert broken changes to slspath made on Salt 3000     (saltstack/salt#56341). (bsc#1170104)

  - Sanitize grains loaded from roster_grains.json cache     during 'state.pkg'.

  - Various virt backports from 3000.2.

  - zypperpkg: filter patterns that start with dot.
    (bsc#1171906)

This update was imported from the SUSE:SLE-15-SP1:Update update project.

This update for salt contains the following fixes :

Fix for TypeError in Tornado importer (bsc#1174165)

Require python3-distro only for TW (bsc#1173072)

Update to Salt version 3000: See release notes:
https://docs.saltstack.com/en/latest/topics/releases/3000.html

Add docker.logout to docker execution module. (bsc#1165572)

Add option to enable/disable force refresh for zypper.

Add publish_batch to ClearFuncs exposed methods.

Adds test for zypper abbreviation fix.

Avoid segfault from 'salt-api' under certain conditions of heavy load managing SSH minions. (bsc#1169604)

Avoid traceback on debug logging for swarm module. (bsc#1172075)

Batch mode now also correctly provides return value. (bsc#1168340)

Better import cache handline.

Do not make file.recurse state to fail when msgpack 0.5.4.
(bsc#1167437)

Do not require vendored backports-abc. (bsc#1170288)

Fix errors from unit tests due NO_MOCK and NO_MOCK_REASON deprecation.

Fix for low rpm_lowpkg unit test.

Fix for temp folder definition in loader unit test.

Fix for unless requisite when pip is not installed.

Fix integration test failure for test_mod_del_repo_multiline_values.

Fix regression in service states with reload argument.

Fix tornado imports and missing _utils after rebasing patches.

Fix status attribute issue in aptpkg test.

Improved storage pool or network handling.

loop: fix variable names for until_no_eval.

Make 'salt.ext.tornado.gen' to use 'salt.ext.backports_abc' on Python 2.

Make setup.py script not to require setuptools greater than 9.1.

More robust remote port detection.

Prevent sporious 'salt-api' stuck processes when managing SSH minions.
because of logging deadlock. (bsc#1159284)

Python3.8 compatibility changes.

Removes unresolved merge conflict in yumpkg module.

Returns a the list of IPs filtered by the optional network list.

Revert broken changes to slspath made on Salt 3000 (saltstack/salt#56341). (bsc#1170104)

Sanitize grains loaded from roster_grains.json cache during 'state.pkg'.

Various virt backports from 3000.2.

zypperpkg: filter patterns that start with dot. (bsc#1171906)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for salt fixes the following issues :

Security issues fixed :

  - CVE-2018-15750: Fixed directory traversal vulnerability     in salt-api (bsc#1113698).

  - CVE-2018-15751: Fixed remote authentication bypass in     salt-api(netapi) that allows to execute arbitrary     commands (bsc#1113699).

Non-security issues fixed :

  - Improved handling of LDAP group id. gid is no longer     treated as a string, which could have lead to faulty     group creations (bsc#1113784).

  - Fixed async call to process manager (bsc#1110938)

  - Fixed OS arch detection when RPM is not installed     (bsc#1114197)

  - Crontab module fix: file attributes option missing     (bsc#1114824)

  - Fix git_pillar merging across multiple __env__     repositories (bsc#1112874)

This update was imported from the SUSE:SLE-15:Update update project.

This update for salt fixes the following issues :

Security issues fixed :

CVE-2018-15750: Fixed directory traversal vulnerability in salt-api (bsc#1113698).

CVE-2018-15751: Fixed remote authentication bypass in salt-api(netapi) that allows to execute arbitrary commands (bsc#1113699).

Non-security issues fixed: Improved handling of LDAP group id. gid is no longer treated as a string, which could have lead to faulty group creations (bsc#1113784).

Fixed async call to process manager (bsc#1110938).

Fixed OS arch detection when RPM is not installed (bsc#1114197).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for salt fixes the following issues :

  - Crontab module fix: file attributes option missing     (boo#1114824)

  - Fix git_pillar merging across multiple __env__     repositories (boo#1112874)

  - Bugfix: unable to detect os arch when RPM is not     installed (boo#1114197)

  - Fix LDAP authentication issue when a valid token is     generated by the salt-api even when invalid user     credentials are passed. (U#48901)

  - Improved handling of LDAP group id. gid is no longer     treated as a string, which could have lead to faulty     group creations. (boo#1113784)

  - Fix remote command execution and incorrect access     control when using salt-api. (boo#1113699)     (CVE-2018-15751)

  - Fix Directory traversal vulnerability when using     salt-api. Allows an attacker to determine what files     exist on a server when querying /run or /events.
    (boo#1113698) (CVE-2018-15750)

  - Add multi-file support and globbing to the filetree     (U#50018)

  - Bugfix: supportconfig non-root permission issues     (U#50095)

  - Open profiles permissions to everyone for read-only

  - Preserving signature in 'module.run' state (U#50049)

  - Install default salt-support profiles

  - Remove unit test, came from a wrong branch. Fix merging     failure.

  - Add CPE_NAME for osversion* grain parsing

  - Get os_family for RPM distros from the RPM macros

  - Install support profiles

  - Fix async call to process manager (boo#1110938)

  - Salt-based supportconfig implementation (technology     preview)

  - Bugfix: any unicode string of length 16 will raise     TypeError

  - Fix IPv6 scope (boo#1108557)

  - Handle zypper ZYPPER_EXIT_NO_REPOS exit code     (boo#1108834, boo#1109893)

  - Bugfix for pkg_resources crash (boo#1104491)

  - Fix loosen azure sdk dependencies in azurearm cloud     driver (boo#1107333)

  - Fix broken 'resolve_capabilities' on Python 3     (boo#1108995)

This update for salt fixes the following issues :

Salt was updated to version 2016.11.10 and contains the following fixes :

Security issues fixed :

CVE-2018-15750: Fixed directory traversal vulnerability in salt-api (bsc#1113698).

CVE-2018-15751: Fixed remote authentication bypass in salt-api(netapi) that allows to execute arbitrary commands (bsc#1113699).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

SaltStack reports :

Remote command execution and incorrect access control when using salt-api.

Directory traversal vulnerability when using salt-api. Allows an attacker to determine what files exist on a server when querying /run or /events.

ID	Name	Product	Family	Severity
139659	Ubuntu 16.04 LTS / 18.04 LTS : Salt vulnerabilities (USN-4459-1)	Nessus	Ubuntu Local Security Checks	high
139094	Debian DLA-2294-1 : salt security update	Nessus	Debian Local Security Checks	high
139012	openSUSE Security Update : salt (openSUSE-2020-1074)	Nessus	SuSE Local Security Checks	high
138795	SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:1974-1)	Nessus	SuSE Local Security Checks	high
123158	openSUSE Security Update : salt (openSUSE-2019-1019)	Nessus	SuSE Local Security Checks	high
120165	SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2018:3815-1)	Nessus	SuSE Local Security Checks	high
119805	openSUSE Security Update : salt (openSUSE-2018-1574)	Nessus	SuSE Local Security Checks	high
119759	openSUSE Security Update : salt (openSUSE-2018-1569)	Nessus	SuSE Local Security Checks	high
119115	SUSE SLES11 Security Update : salt (SUSE-SU-2018:3813-1)	Nessus	SuSE Local Security Checks	high
118477	FreeBSD : salt -- multiple vulnerabilities (4f7c6af3-6a2c-4ead-8453-04e509688d45)	Nessus	FreeBSD Local Security Checks	high

CVE-2018-15750

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins