FreeBSD : py-salt -- potential shell injection vulnerabilities (865863af-fb5e-11e4-8fda-002590263bf5)

High Nessus Plugin ID 83798


The remote FreeBSD host is missing a security-related update.


Colton Myers reports :

In order to fix potential shell injection vulnerabilities in salt modules, a change has been made to the various cmd module functions.
These functions now default to python_shell=False, which means that the commands will not be sent to an actual shell.

The largest side effect of this change is that 'shellisms', such as pipes, will not work by default. The modules shipped with salt have been audited to fix any issues that might have arisen from this change. Additionally, the cmd state module has been unaffected, and use of in jinja is also unaffected. calls on the CLI will also allow shellisms.

However, custom execution modules which use shellisms in cmd calls will break, unless you pass python_shell=True to these calls.

As a temporary workaround, you can set cmd_safe: False in your minion and master configs. This will revert the default, but is also less secure, as it will allow shell injection vulnerabilities to be written in custom code. We recommend you only set this setting for as long as it takes to resolve these issues in your custom code, then remove the override.


Update the affected package.

See Also

Plugin Details

Severity: High

ID: 83798

File Name: freebsd_pkg_865863affb5e11e48fda002590263bf5.nasl

Version: $Revision: 2.1 $

Type: local

Published: 2015/05/26

Modified: 2015/05/26

Dependencies: 12634

Risk Information

Risk Factor: High

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:py27-salt, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2015/05/24

Vulnerability Publication Date: 2015/05/11