FreeBSD : py-salt -- potential shell injection vulnerabilities (865863af-fb5e-11e4-8fda-002590263bf5)
High Nessus Plugin ID 83798
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionColton Myers reports :
In order to fix potential shell injection vulnerabilities in salt modules, a change has been made to the various cmd module functions.
These functions now default to python_shell=False, which means that the commands will not be sent to an actual shell.
The largest side effect of this change is that 'shellisms', such as pipes, will not work by default. The modules shipped with salt have been audited to fix any issues that might have arisen from this change. Additionally, the cmd state module has been unaffected, and use of cmd.run in jinja is also unaffected. cmd.run calls on the CLI will also allow shellisms.
However, custom execution modules which use shellisms in cmd calls will break, unless you pass python_shell=True to these calls.
As a temporary workaround, you can set cmd_safe: False in your minion and master configs. This will revert the default, but is also less secure, as it will allow shell injection vulnerabilities to be written in custom code. We recommend you only set this setting for as long as it takes to resolve these issues in your custom code, then remove the override.
SolutionUpdate the affected package.