Two vulnerabilities in SaltStack Salt, an open-source remote task and configuration management framework, are being actively exploited by attackers, CISA warns.
About SaltStack Salt
Salt is used for configuring, managing and monitoring servers in datacenters and cloud environments.
The Salt installation is the “master” and each server it monitors runs an API agent called a “minion”. The minions send state reports to the master and the master publishes update messages containing instructions/commands to the minions. The communication between the master and its minions is secured (encrypted).
About the vulnerabilities
Discovered by F-Secure researchers, CVE-2020-11651 (an authentication bypass flaw) and CVE-2020-11652 (a directory traversal flaw) can be exploited by remote, unauthenticated attackers.
According to the researchers, the vulnerabilities allow attackers to “connect to the ‘request server’ port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the ‘master’ server filesystem and steal the secret key used to authenticate to the master as root.”
The attackers can thusly achieve remote command execution as root on both the master and all minions that connect to it.
The vulnerabilities affect all Salt versions prior to 2019.2.4 and 3000.2, which were released last week.
“Adding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider Internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks,” the researchers added.
Active exploitation
F-Secure warned that there are over 6,000 Salt masters exposed to the public Internet, so they chose not to publish a PoC.
But, they said, “any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours,” and they were right: a few days later a researcher reported their honeypots already being targeted.
Even though SaltStack did send an advanced notice about the critical nature of the flaws and the need for a quick update and additional mitigation actions to their users, not everybody reacted promptly.
During the weekend, attackers successfully leveraged the flaws to gain access to the infrastructure of the LineageOS project, the Ghost blogging platform, and one of the Certificate Transparency logs (CT2) operated by DigiCert. In all three cases, the attackers’ goal was to install cryptominers.
from Help Net Security https://ift.tt/3c1ht57
No comments:
Post a Comment