SaltStack, a VMware-owned company, has revealed critical vulnerabilities impacting Salt versions 3002 and prior, with patches available as of today.
Salt is an open-source IT infrastructure management solution written in Python that is widely used by data centers around the world.
Users are therefore encouraged to patch their Salt instances immediately.
From shell injection to authentication bypass
The three vulnerabilities disclosed today are as follows, with their severity mentioned in the respective parentheses:
CVE-2020-16846 (High/Critical)has been described by the Salt team as a shell injection vulnerability that was patched by removing the `shell=True` option when calling “subprocess.call” on a SaltStack SSH client.
The subprocess Python module lets you spawn new processes on the system. Calling the option with a command constructed from external user input and with `shell=True` option is a known security hazard.
Shown above, the official fix released by the project states, “Stop calling Popen with shell=True to prevent shell injection attacks on the netapi salt-ssh client.”
CVE-2020-25592 (High/Critical) is an authentication bypass flaw but the fix published for the same additionally mentions yet another mysterious identifier, CVE-2020-16804.
“CVE-2020-16804 – Properly validate eauth credentials and tokens along with their ACLs,” states the fix applied for CVE-2020-25592.
The commit further states, “Prior to this change eauth was not properly validated when calling Salt ssh via the salt-api. Any value for ‘eauth’ or ‘token’ would allow a user to bypass authentication and make calls to Salt ssh.”
A test case provided by the project developers confirms that in the patched versions, bogus eauth data should cause Salt applications to throw exceptions instead of passing the authentication checks.
CVE-2020-17490 (Low) concerns a permissions issue, rather the access mode, when opening/saving cryptographic private key files.
“This CVE affects any Minions or Masters that previously used the create_ca, create_csr, and create_self_signed_cert functions in the TLS module,” reads the November 3rd advisory linked below.
“When using the functions create_ca, create_csr, and create_self_signed_cert in the tls execution module, it would not ensure the key was created with the correct permissions. With the CVE fix, the keys are no longer created with world-readable permissions and use 600,” continues the advisory.
The issue was remedied by replacing the `os.O_WRONLY` (write-only) flag when opening the SSH keys with the `os.O_RDWR` (read-write) flag.
Confusing disclosure timeline
While the vulnerabilities were disclosed today, it is worth noting that fixes for all three vulnerabilities were committed and disclosed to GitHub much earlier.
For example, the fix for CVE-2020-16846 was pushed to GitHub as early as August 18th, and the Salt client test cases for the shell injection flaw also mention multiple Zero-Day Initiative (ZDI) IDs, such as ZDI-CAN-11143. The date of the original report on this identifier, however, is June 2020 as shown below.
The November 3rd advisory does attribute the discovery of CVE-2020-16846 and CVE-2020-17490 to KPC of Trend Micro Zero Day Initiative who had reported multiple ZDI vulnerabilities in June 2020.
It is not clear why SaltStack published the CVEs and fixes publicly to GitHub before publicly disclosing them as this could have been abused by threat actors to create exploits.
SaltStack gives advance heads up
On October 30th, SaltStack had released a security advisory indicating these CVEs were to come this Election Day.
The advance partial disclosure on these critical vulnerabilities is a cautious move on SaltStack’s part given the widespread attacks that had hit vulnerable Salt instances earlier this year.
“Two of these vulnerabilities are expected to be rated as high/critical and the other is expected to be low based on the Common Vulnerability Scoring System (CVSS). Once SaltStack became aware of the vulnerabilities, we quickly took actions to remediate them,” stated the October 30th advisory.
Partial disclosures are increasingly becoming the norm for open-source software.
Giving everyone a heads up allows time for the vulnerable instances to be patched before security flaws can potentially be exploited in the wild by adversaries.
The fixed versions include 3002.1, 3001.3, and 3000.5 depending on what branch of Salt you are using. The company has also made patches available for older versions, such as 2019.x.
SaltStack has provided some additional tips on how to harden your Salt instances, in addition to patching for new vulnerabilities that may be discovered from time to time.
It remains questionable, despite making an advance partial disclosure, whether Election Day is ever the right time to disclose critical vulnerabilities—especially considering the fixed versions have also been released today, coinciding with the full disclosure.
Users can download the fixed releases from PyPI downloads as of now. More information is also available in the November 3, 2020 advisory.