SaltStack has patched two critical vulnerabilities that were discovered by the Finnish security company, F-Secure. It warned the company of the vulnerabilities in mid-March. Each has been awarded a Common Vulnerability Scoring Solution (CVSS) score of 10. It is the highest level any vulnerability can be assigned and underscores how serious these are.
The CVE numbers for the two vulnerabilities are: CVE-2020-11651 / CVE-2020-11652.
“Patch by Friday or compromised by Monday,” warns F-Secure Principal Consultant Olle Segerdahl. “That’s how I’d describe the dilemma facing admins who have their Salt master hosts exposed to the internet.”
Why are these vulnerabilities so serious?
All vulnerabilities are serious, but these two are especially so. If exploited, attackers could gain root privileges for any Salt implementation. Salt uses a Master-Minion architecture, so control of the Master server automatically grants control of all its Minion agents. It would allow an attacker to execute any code that they wanted on the infrastructure.
In a blog, F-Secure comments: “Attackers could simply use the master and its minions (which could amount to hundreds of servers) to mine cryptocurrencies, or bots. But skilled attackers can engage in more high impact attacks. For example, they may start by installing backdoors to let them explore the network, and then move to stealing confidential data, extortion (either through ransomware or threatening to leak sensitive information), or a variety of other attacks tailored to their specific target and objectives.”
How widely used is Salt?
Segerdahl claims that while researching the vulnerabilities, he found 6,000 Salt masters exposed to the Internet. The majority are in public cloud environments such as AWS and GCP. It means that any user who does not patch quickly is at immediate risk of being compromised.
According to Segerdahl: “I was expecting the number to be a lot lower. There’s not many reasons to expose infrastructure management systems, which is what a lot of companies use Salt for, to the Internet.
“When new vulnerabilities go public, attackers always race to exploit exposed, vulnerable hosts before admins patch or hide them. So if I were running one of these 6000 masters, I wouldn’t feel comfortable leaving work for the weekend knowing it’s a target.”
F-Secure has confirmed that it has seen no active exploits of the vulnerabilities. This should not be used as an excuse to avoid patching.
What should organisations using Salt do?
Download the latest patches immediately from the SaltStack website and apply them. This is not a drill. All versions of Salt are affected, there is no safe version that can be left until later. If this sounds harsh, remember that Segerdahl has already said: “Patch by Friday or compromised by Monday.”
Segerdahl is also warning that companies using default Salt implementations exposed to the Internet, should monitor and restrict access to the Salt master ports (4505 and 4506). There is additional information on how to harden Salt implementations on the SaltStack website.
Corporate users of SaltStack deployed behind their firewalls are also being warned to patch their Salt implementations. Any breach in their systems would expose their Salt installations, allowing them to be compromised.
Users who have the Salt auto-update feature enabled should get the patch as soon as it is released. However, a lot of developers turn off auto-updates during the build phase, and IT operations can easily forget to turn them on again.
Enterprise Times: What does this mean
For many security teams, the timing could not have been worse. As (ISC)2 revealed, security teams are being pulled away to shore up IT teams. It has left many organisations reliant on their security tools and support from third-parties. Attacks using COVID-19 as a lure show no signs of slowing down and attacks are also using this opportunity to expand existing attacks.
Vulnerabilities are a fact of life in the software world. What is important is how you respond and what you do to protect customers. In this case, fixes have been created quickly and made available, and there is no active exploitation that F-Secure has seen.
SaltStack has responded quickly to the alert from F-Secure over these two vulnerabilities. This is the first time a Salt vulnerability has been awarded a CVE score since 2018. What is important now is that SaltStack moves to monitor its customers and actively looks for unpatched implementations on the Internet. It could use the list of 6,000 implementations that Segerdahl found as a start point. Warning those customers in case they do not have auto-update turned on would be a good move.