openSUSE-SU-2020:1074

https://docs.saltstack.com/en/2017.7/topics/releases/2017.7.8.html

https://docs.saltstack.com/en/latest/topics/releases/2018.3.3.html

[salt-users] 20181024 2017.7.8 Released - Security Advisory

[salt-users] 20181024 2018.3.3 Released - Security Advisory

[debian-lts-announce] 20200728 [SECURITY] [DLA 2294-1] salt security update

USN-4459-1

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:2106-1 advisory.

  - Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before     2018.3.3 allows remote attackers to determine which files exist on the server. (CVE-2018-15750)

  - SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass     authentication and execute arbitrary commands via salt-api(netapi). (CVE-2018-15751)

  - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process     ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods     without authentication. These methods can be used to retrieve user tokens from the salt master and/or run     arbitrary commands on salt minions. (CVE-2020-11651)

  - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process     ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow     arbitrary directory access to authenticated users. (CVE-2020-11652)

  - In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can     bypass authentication and invoke Salt SSH. (CVE-2020-25592)

  - A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise     Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the     need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP 3 salt     versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.
    (CVE-2021-25315)

  - In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module     that allows for local privilege escalation on a minion. The attack requires that a file is created with a     pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes     popen unsafely). (CVE-2021-31607)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:0899-1 advisory.

  - Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before     2018.3.3 allows remote attackers to determine which files exist on the server. (CVE-2018-15750)

  - SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass     authentication and execute arbitrary commands via salt-api(netapi). (CVE-2018-15751)

  - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process     ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods     without authentication. These methods can be used to retrieve user tokens from the salt master and/or run     arbitrary commands on salt minions. (CVE-2020-11651)

  - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process     ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow     arbitrary directory access to authenticated users. (CVE-2020-11652)

  - In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can     bypass authentication and invoke Salt SSH. (CVE-2020-25592)

  - A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise     Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the     need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP 3 salt     versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.
    (CVE-2021-25315)

  - In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module     that allows for local privilege escalation on a minion. The attack requires that a file is created with a     pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes     popen unsafely). (CVE-2021-31607)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It was discovered that Salt allows remote attackers to determine which files exist on the server. An attacker could use that to extract sensitive information. (CVE-2018-15750) It was discovered that Salt has a vulnerability that allows an user to bypass authentication. An attacker could use that to extract sensitive information, execute abritrary code or crash the server. (CVE-2018-15751) It was discovered that Salt is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host. (CVE-2019-17361) It was discovered that Salt incorrectly validated method calls and sanitized paths. A remote attacker could possibly use this issue to access some methods without authentication. (CVE-2020-11651, CVE-2020-11652).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Two issues have been found in salt, a remote manager to administer servers.

These issues are related to remote hackers bypassing authentication to execute arbitrary commands and getting informations about files on the server

For Debian 9 stretch, these problems have been fixed in version 2016.11.2+ds-1+deb9u5.

We recommend that you upgrade your salt packages.

For the detailed security status of salt please refer to its security tracker page at: https://security-tracker.debian.org/tracker/salt

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for salt contains the following fixes :

  - Fix for TypeError in Tornado importer (bsc#1174165)

  - Require python3-distro only for TW (bsc#1173072)

  - Update to Salt version 3000: See release notes:
    https://docs.saltstack.com/en/latest/topics/releases/300     0.html

  - Add docker.logout to docker execution module.
    (bsc#1165572)

  - Add option to enable/disable force refresh for zypper.

  - Add publish_batch to ClearFuncs exposed methods.

  - Adds test for zypper abbreviation fix.

  - Avoid segfault from 'salt-api' under certain conditions     of heavy load managing SSH minions. (bsc#1169604)

  - Avoid traceback on debug logging for swarm module.
    (bsc#1172075)

  - Batch mode now also correctly provides return value.
    (bsc#1168340)

  - Better import cache handline.

  - Do not make file.recurse state to fail when msgpack     0.5.4. (bsc#1167437)

  - Do not require vendored backports-abc. (bsc#1170288)

  - Fix errors from unit tests due NO_MOCK and     NO_MOCK_REASON deprecation.

  - Fix for low rpm_lowpkg unit test.

  - Fix for temp folder definition in loader unit test.

  - Fix for unless requisite when pip is not installed.

  - Fix integration test failure for     test_mod_del_repo_multiline_values.

  - Fix regression in service states with reload argument.

  - Fix tornado imports and missing _utils after rebasing     patches.

  - Fix status attribute issue in aptpkg test.

  - Improved storage pool or network handling.

  - loop: fix variable names for until_no_eval.

  - Make 'salt.ext.tornado.gen' to use     'salt.ext.backports_abc' on Python 2.

  - Make setup.py script not to require setuptools greater     than 9.1.

  - More robust remote port detection.

  - Prevent sporious 'salt-api' stuck processes when     managing SSH minions. because of logging deadlock.
    (bsc#1159284)

  - Python3.8 compatibility changes.

  - Removes unresolved merge conflict in yumpkg module.

  - Returns a the list of IPs filtered by the optional     network list.

  - Revert broken changes to slspath made on Salt 3000     (saltstack/salt#56341). (bsc#1170104)

  - Sanitize grains loaded from roster_grains.json cache     during 'state.pkg'.

  - Various virt backports from 3000.2.

  - zypperpkg: filter patterns that start with dot.
    (bsc#1171906)

This update was imported from the SUSE:SLE-15-SP1:Update update project.

This update for salt contains the following fixes :

Fix for TypeError in Tornado importer (bsc#1174165)

Require python3-distro only for TW (bsc#1173072)

Update to Salt version 3000: See release notes:
https://docs.saltstack.com/en/latest/topics/releases/3000.html

Add docker.logout to docker execution module. (bsc#1165572)

Add option to enable/disable force refresh for zypper.

Add publish_batch to ClearFuncs exposed methods.

Adds test for zypper abbreviation fix.

Avoid segfault from 'salt-api' under certain conditions of heavy load managing SSH minions. (bsc#1169604)

Avoid traceback on debug logging for swarm module. (bsc#1172075)

Batch mode now also correctly provides return value. (bsc#1168340)

Better import cache handline.

Do not make file.recurse state to fail when msgpack 0.5.4.
(bsc#1167437)

Do not require vendored backports-abc. (bsc#1170288)

Fix errors from unit tests due NO_MOCK and NO_MOCK_REASON deprecation.

Fix for low rpm_lowpkg unit test.

Fix for temp folder definition in loader unit test.

Fix for unless requisite when pip is not installed.

Fix integration test failure for test_mod_del_repo_multiline_values.

Fix regression in service states with reload argument.

Fix tornado imports and missing _utils after rebasing patches.

Fix status attribute issue in aptpkg test.

Improved storage pool or network handling.

loop: fix variable names for until_no_eval.

Make 'salt.ext.tornado.gen' to use 'salt.ext.backports_abc' on Python 2.

Make setup.py script not to require setuptools greater than 9.1.

More robust remote port detection.

Prevent sporious 'salt-api' stuck processes when managing SSH minions.
because of logging deadlock. (bsc#1159284)

Python3.8 compatibility changes.

Removes unresolved merge conflict in yumpkg module.

Returns a the list of IPs filtered by the optional network list.

Revert broken changes to slspath made on Salt 3000 (saltstack/salt#56341). (bsc#1170104)

Sanitize grains loaded from roster_grains.json cache during 'state.pkg'.

Various virt backports from 3000.2.

zypperpkg: filter patterns that start with dot. (bsc#1171906)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for salt fixes the following issues :

Security issues fixed :

  - CVE-2018-15750: Fixed directory traversal vulnerability     in salt-api (bsc#1113698).

  - CVE-2018-15751: Fixed remote authentication bypass in     salt-api(netapi) that allows to execute arbitrary     commands (bsc#1113699).

Non-security issues fixed :

  - Improved handling of LDAP group id. gid is no longer     treated as a string, which could have lead to faulty     group creations (bsc#1113784).

  - Fixed async call to process manager (bsc#1110938)

  - Fixed OS arch detection when RPM is not installed     (bsc#1114197)

  - Crontab module fix: file attributes option missing     (bsc#1114824)

  - Fix git_pillar merging across multiple __env__     repositories (bsc#1112874)

This update was imported from the SUSE:SLE-15:Update update project.

This update for salt fixes the following issues :

Security issues fixed :

CVE-2018-15750: Fixed directory traversal vulnerability in salt-api (bsc#1113698).

CVE-2018-15751: Fixed remote authentication bypass in salt-api(netapi) that allows to execute arbitrary commands (bsc#1113699).

Non-security issues fixed: Improved handling of LDAP group id. gid is no longer treated as a string, which could have lead to faulty group creations (bsc#1113784).

Fixed async call to process manager (bsc#1110938).

Fixed OS arch detection when RPM is not installed (bsc#1114197).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for salt fixes the following issues :

  - Crontab module fix: file attributes option missing     (boo#1114824)

  - Fix git_pillar merging across multiple __env__     repositories (boo#1112874)

  - Bugfix: unable to detect os arch when RPM is not     installed (boo#1114197)

  - Fix LDAP authentication issue when a valid token is     generated by the salt-api even when invalid user     credentials are passed. (U#48901)

  - Improved handling of LDAP group id. gid is no longer     treated as a string, which could have lead to faulty     group creations. (boo#1113784)

  - Fix remote command execution and incorrect access     control when using salt-api. (boo#1113699)     (CVE-2018-15751)

  - Fix Directory traversal vulnerability when using     salt-api. Allows an attacker to determine what files     exist on a server when querying /run or /events.
    (boo#1113698) (CVE-2018-15750)

  - Add multi-file support and globbing to the filetree     (U#50018)

  - Bugfix: supportconfig non-root permission issues     (U#50095)

  - Open profiles permissions to everyone for read-only

  - Preserving signature in 'module.run' state (U#50049)

  - Install default salt-support profiles

  - Remove unit test, came from a wrong branch. Fix merging     failure.

  - Add CPE_NAME for osversion* grain parsing

  - Get os_family for RPM distros from the RPM macros

  - Install support profiles

  - Fix async call to process manager (boo#1110938)

  - Salt-based supportconfig implementation (technology     preview)

  - Bugfix: any unicode string of length 16 will raise     TypeError

  - Fix IPv6 scope (boo#1108557)

  - Handle zypper ZYPPER_EXIT_NO_REPOS exit code     (boo#1108834, boo#1109893)

  - Bugfix for pkg_resources crash (boo#1104491)

  - Fix loosen azure sdk dependencies in azurearm cloud     driver (boo#1107333)

  - Fix broken 'resolve_capabilities' on Python 3     (boo#1108995)

This update for salt fixes the following issues :

Salt was updated to version 2016.11.10 and contains the following fixes :

Security issues fixed :

CVE-2018-15750: Fixed directory traversal vulnerability in salt-api (bsc#1113698).

CVE-2018-15751: Fixed remote authentication bypass in salt-api(netapi) that allows to execute arbitrary commands (bsc#1113699).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

SaltStack reports :

Remote command execution and incorrect access control when using salt-api.

Directory traversal vulnerability when using salt-api. Allows an attacker to determine what files exist on a server when querying /run or /events.

ID	Name	Product	Family	Severity
151732	openSUSE 15 Security Update : salt (openSUSE-SU-2021:2106-1)	Nessus	SuSE Local Security Checks	critical
151062	openSUSE 15 Security Update : salt (openSUSE-SU-2021:0899-1)	Nessus	SuSE Local Security Checks	critical
139659	Ubuntu 16.04 LTS / 18.04 LTS : Salt vulnerabilities (USN-4459-1)	Nessus	Ubuntu Local Security Checks	critical
139094	Debian DLA-2294-1 : salt security update	Nessus	Debian Local Security Checks	critical
139012	openSUSE Security Update : salt (openSUSE-2020-1074)	Nessus	SuSE Local Security Checks	critical
138795	SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:1974-1)	Nessus	SuSE Local Security Checks	critical
123158	openSUSE Security Update : salt (openSUSE-2019-1019)	Nessus	SuSE Local Security Checks	critical
120165	SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2018:3815-1)	Nessus	SuSE Local Security Checks	critical
119805	openSUSE Security Update : salt (openSUSE-2018-1574)	Nessus	SuSE Local Security Checks	critical
119759	openSUSE Security Update : salt (openSUSE-2018-1569)	Nessus	SuSE Local Security Checks	critical
119115	SUSE SLES11 Security Update : salt (SUSE-SU-2018:3813-1)	Nessus	SuSE Local Security Checks	critical
118477	FreeBSD : salt -- multiple vulnerabilities (4f7c6af3-6a2c-4ead-8453-04e509688d45)	Nessus	FreeBSD Local Security Checks	critical

CVE-2018-15751

critical

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical