In case you missed it last week, SaltStack released security updates to fix two critical Salt vulnerabilities. Multiple vendors that integrate Salt into their products have also released patches or workarounds to address the flaws.
Salt is an open-source management platform and infrastructure automation software used by IT in data centers and cloud systems.
SaltStack released patches for Critical authentication bypass and directory traversal vulnerabilities (CVE-2020-11651 and CVE-2020-11652) that affect Salt versions prior to 2019.2.4 and 3000.2.
SaltStack urged their SaltStack customers and Salt users prioritize the security update to address the vulnerabilities. Also, some security researchers already released proof-of-concept (PoC) exploit code as well.
“A scan by the security firm that identified the vulnerability found approximately 6000 Salt Masters exposed to the Internet and vulnerable. These systems in particular, and all Salt environments must be hardened and updated immediately,” warned Moe Abdula from SaltStack.
The security firm SaltStack credited is F-Secure, who described the SaltStack “authorization bypass” threat in a recent blog post:
“The vulnerabilities described in this advisory allow an attacker who can connect to the “request server” port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the “master” server filesystem and steal the secret key used to authenticate to the master as root. The impact is full remote command execution as root on both the master and all minions that connect to it.”F-Secure
In addition, SaltStack provided some good Salt hardening guidelines to include system hardening, use of SSH keys secured with a passphrase, bastion hosts and Salt’s Client ACL system, just to name a few.
Vendor security advisories
Furthermore, VMware also released a security update for VMware vRealize Operations Manager. Although patches are still pending, VMware released workarounds to addresses CVE-2020-11651 and CVE-2020-11652.