Two serious vulnerabilities were found in the open-source Salt Stack Salt configuration that could allow a competitor to execute arbitrary code on remote servers deployed in data centers and cloud environments.
F-Secure researchers detected the vulnerabilities in early March and were announced on Thursday, a day after they released a patch (version 3000.2) to fix issues assessed using SaltStack’s CVSS 10 score.
The cybersecurity company said, “Vulnerabilities assigned to CVE-2020-11651 and CVE-2020-11652 are in two different classes.” Said.
“One is to avoid authentication where the functionality is accidentally exposed to unauthenticated network clients, and the other is to allow unrestricted access to the entire file system of the main server, where untrusted entries (ie parameters in network requests) are not properly filtered.”
Researchers warned that the flaws could be exploited immediately. SaltStack also invites users to follow best practices to protect Salt’s environment.
Vulnerabilities in ZeroMQ Protocol
Salt is a powerful Python-based remote execution and automation engine designed to allow users to directly command multiple machines.
Designed as a utility to monitor and update server status, Salt uses a master-slave architecture that automates the process of getting configuration and software updates from a central repository using a “master” node that distributes modifications.
Communication between master and server is via the ZeroMQ message bus. In addition, the main server uses two ZeroMQ channels, a “request server” where the servers report the results of the execution and a “broadcast server” where the main server broadcasts messages to which the servers can connect and subscribe.
According to F-Secure researchers, the pair of flaws are found in the vehicle’s ZeroMQ protocol.
“The vulnerabilities described in this statement allow an attacker who can connect to the” request server “port to bypass all authentication and authorization checks and send random audit messages, read and write files anywhere in the server’s file system to verify the root of the” master “and master they stole the secret key used. ”
“The effect is that the remote commands are fully executed as root in the main command and all servers that connect to it.”
In other words, an attacker could exploit vulnerabilities to invoke admin commands on the main server, while also allowing minions to execute malicious commands, sorting the mail messages directly to the mainstreaming server.