https://sec.stealthcopter.com/saltstack-snapper-minion-privledge-escaltion/

FEDORA-2021-5aaebdae8e

FEDORA-2021-00ada7e667

FEDORA-2021-93a7c8b7c6

FEDORA-2021-158e9c6eb9

The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-93a7c8b7c6 advisory.

  - An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and     source_hash URLs can gain full file system access as root on a salt minion. (CVE-2021-21996)

  - An issue was discovered in SaltStack Salt before 3003.3. The salt minion installer will accept and use a     minion config file at C:\salt\conf if that file is in place before the installer is run. This allows for a     malicious actor to subvert the proper behaviour of the given minion software. (CVE-2021-22004)

  - In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module     that allows for local privilege escalation on a minion. The attack requires that a file is created with a     pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes     popen unsafely). (CVE-2021-31607)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 34 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-00ada7e667 advisory.

  - An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and     source_hash URLs can gain full file system access as root on a salt minion. (CVE-2021-21996)

  - An issue was discovered in SaltStack Salt before 3003.3. The salt minion installer will accept and use a     minion config file at C:\salt\conf if that file is in place before the installer is run. This allows for a     malicious actor to subvert the proper behaviour of the given minion software. (CVE-2021-22004)

  - In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module     that allows for local privilege escalation on a minion. The attack requires that a file is created with a     pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes     popen unsafely). (CVE-2021-31607)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:2106-1 advisory.

  - Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before     2018.3.3 allows remote attackers to determine which files exist on the server. (CVE-2018-15750)

  - SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass     authentication and execute arbitrary commands via salt-api(netapi). (CVE-2018-15751)

  - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process     ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods     without authentication. These methods can be used to retrieve user tokens from the salt master and/or run     arbitrary commands on salt minions. (CVE-2020-11651)

  - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process     ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow     arbitrary directory access to authenticated users. (CVE-2020-11652)

  - In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can     bypass authentication and invoke Salt SSH. (CVE-2020-25592)

  - A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise     Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the     need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP 3 salt     versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.
    (CVE-2021-25315)

  - In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module     that allows for local privilege escalation on a minion. The attack requires that a file is created with a     pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes     popen unsafely). (CVE-2021-31607)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:1951-1 advisory.

  - In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module     that allows for local privilege escalation on a minion. The attack requires that a file is created with a     pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes     popen unsafely). (CVE-2021-31607)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES11 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2021:14753-1 advisory.

  - In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module     that allows for local privilege escalation on a minion. The attack requires that a file is created with a     pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes     popen unsafely). (CVE-2021-31607)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:0899-1 advisory.

  - Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before     2018.3.3 allows remote attackers to determine which files exist on the server. (CVE-2018-15750)

  - SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass     authentication and execute arbitrary commands via salt-api(netapi). (CVE-2018-15751)

  - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process     ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods     without authentication. These methods can be used to retrieve user tokens from the salt master and/or run     arbitrary commands on salt minions. (CVE-2020-11651)

  - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process     ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow     arbitrary directory access to authenticated users. (CVE-2020-11652)

  - In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can     bypass authentication and invoke Salt SSH. (CVE-2020-25592)

  - A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise     Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the     need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP 3 salt     versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.
    (CVE-2021-25315)

  - In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module     that allows for local privilege escalation on a minion. The attack requires that a file is created with a     pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes     popen unsafely). (CVE-2021-31607)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the salt3 package has been released.

The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2021:1951-1 advisory.

  - In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module     that allows for local privilege escalation on a minion. The attack requires that a file is created with a     pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes     popen unsafely). (CVE-2021-31607)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-5aaebdae8e advisory.

  - In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module     that allows for local privilege escalation on a minion. The attack requires that a file is created with a     pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes     popen unsafely). (CVE-2021-31607)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
153200	Fedora 33 : salt (2021-93a7c8b7c6)	Nessus	Fedora Local Security Checks	high
153199	Fedora 34 : salt (2021-00ada7e667)	Nessus	Fedora Local Security Checks	high
151732	openSUSE 15 Security Update : salt (openSUSE-SU-2021:2106-1)	Nessus	SuSE Local Security Checks	critical
151718	openSUSE 15 Security Update : salt (openSUSE-SU-2021:1951-1)	Nessus	SuSE Local Security Checks	high
151084	SUSE SLES11 Security Update : SUSE Manager Client Tools (SUSE-SU-2021:14753-1)	Nessus	SuSE Local Security Checks	high
151062	openSUSE 15 Security Update : salt (openSUSE-SU-2021:0899-1)	Nessus	SuSE Local Security Checks	critical
150920	Photon OS 4.0: Salt3 PHSA-2021-4.0-0047	Nessus	PhotonOS Local Security Checks	critical
150743	SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2021:1951-1)	Nessus	SuSE Local Security Checks	high
149414	Fedora 33 : salt (2021-5aaebdae8e)	Nessus	Fedora Local Security Checks	high

CVE-2021-31607

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

high

high

critical

high

high

critical

critical

high

high