openSUSE 15 Security Update : salt (openSUSE-SU-2021:2106-1)

critical Nessus Plugin ID 151732
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:2106-1 advisory.

- Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server. (CVE-2018-15750)

- SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi). (CVE-2018-15751)

- An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. (CVE-2020-11651)

- An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. (CVE-2020-11652)

- In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH. (CVE-2020-25592)

- A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.
(CVE-2021-25315)

- In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely). (CVE-2021-31607)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected python2-distro and / or python3-distro packages.

See Also

https://bugzilla.suse.com/1171257

https://bugzilla.suse.com/1176293

https://bugzilla.suse.com/1179831

https://bugzilla.suse.com/1181368

https://bugzilla.suse.com/1182281

https://bugzilla.suse.com/1182293

https://bugzilla.suse.com/1182382

https://bugzilla.suse.com/1185092

https://bugzilla.suse.com/1185281

https://bugzilla.suse.com/1186674

http://www.nessus.org/u?410d07bc

https://www.suse.com/security/cve/CVE-2018-15750

https://www.suse.com/security/cve/CVE-2018-15751

https://www.suse.com/security/cve/CVE-2020-11651

https://www.suse.com/security/cve/CVE-2020-11652

https://www.suse.com/security/cve/CVE-2020-25592

https://www.suse.com/security/cve/CVE-2021-25315

https://www.suse.com/security/cve/CVE-2021-31607

Plugin Details

Severity: Critical

ID: 151732

File Name: openSUSE-2021-2106.nasl

Version: 1.2

Type: local

Agent: unix

Published: 7/16/2021

Updated: 7/16/2021

Dependencies: ssh_get_info.nasl

Risk Information

CVSS Score Source: CVE-2020-25592

VPR

Risk Factor: Critical

Score: 9.6

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:F/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:python2-distro, p-cpe:/a:novell:opensuse:python3-distro, cpe:/o:novell:opensuse:15.3

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/11/2021

Vulnerability Publication Date: 10/24/2018

Reference Information

CVE: CVE-2018-15750, CVE-2018-15751, CVE-2020-11651, CVE-2020-11652, CVE-2020-25592, CVE-2021-25315, CVE-2021-31607

IAVA: 2020-A-0195-S