FreeBSD : py-salt -- potential shell injection vulnerabilities (865863af-fb5e-11e4-8fda-002590263bf5)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Colton Myers reports :

In order to fix potential shell injection vulnerabilities in salt
modules, a change has been made to the various cmd module functions.
These functions now default to python_shell=False, which means that
the commands will not be sent to an actual shell.

The largest side effect of this change is that 'shellisms', such as
pipes, will not work by default. The modules shipped with salt have
been audited to fix any issues that might have arisen from this
change. Additionally, the cmd state module has been unaffected, and
use of in jinja is also unaffected. calls on the CLI
will also allow shellisms.

However, custom execution modules which use shellisms in cmd calls
will break, unless you pass python_shell=True to these calls.

As a temporary workaround, you can set cmd_safe: False in your minion
and master configs. This will revert the default, but is also less
secure, as it will allow shell injection vulnerabilities to be written
in custom code. We recommend you only set this setting for as long as
it takes to resolve these issues in your custom code, then remove the

See also :

Solution :

Update the affected package.

Risk factor :


Family: FreeBSD Local Security Checks

Nessus Plugin ID: 83798 ()

Bugtraq ID:


Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now