F-Secure experts found two critical vulnerabilities in the open source SaltStack Salt framework, which is widely used in data centers and cloud servers. Both problems scored 10 points out of 10 possible on the CVSS vulnerability rating scale and both allow remote execution of arbitrary code.
Vulnerabilities have received identifiers CVE-2020-11651 and CVE-2020-11652. They allow an attacker to execute arbitrary code on remote servers in data centers and cloud environments.Therefore, one vulnerability is of the authentication bypass type: unauthenticated network clients were mistakenly offered full functionality.
In some cases, an attacker could even get a token for root access to the master server and execute arbitrary commands on servers with the active salt-minion daemon”, – said F-Secure researchers.
The second bug is a directory bypass, which occurred due to incorrect cleaning of untrusted input data, which as a result provided unlimited access to the entire file system of the server with root rights.
Authentication is required to exploit the vulnerability, but it can be obtained through exploitation of problem CVE-2020-11651”, – say the experts.
Although F-Secure experts did not disclose PoC exploits for these problems, they warned that most likely, attackers would easily create reliable exploits on their own in the coming days, since the operation of bugs is very simple.
Unfortunately, this is exactly what happened. To date, a number of PoC exploits have already appeared on the network, and with the help of vulnerabilities in the SaltStack Salt, attackers hacked the Ghost blogging platform, which authenticates the Digicert center.
Recall that the Imperva Cloud WAF platform was also compromised some time ago.
Last weekend, compromise through vulnerabilities in SaltStack Salt also exposed the infrastructure of LineageOS, an Android-based mobile operating system used for smartphones, tablets and set-top boxes.
The incident occurred on Saturday evening and, according to official figures, was discovered before the attackers managed to cause any damage to the project. The hack did not affect the source code and OS builds, as well as the keys for signing official distributions, which were stored outside the main infrastructure”, – say the developers.
After the attack was discovered, the company’s specialists hastily took the servers offline to investigate the incident and fix the gaps that the hackers used. To date, almost all services have already returned to service, including a file and mirror download portal, assembly server, mail servers, wiki, and so on.
It is known that in some cases, attackers install backdoors on hacked servers, and in other cases, on servers are deployed miners.
Mitigation:
SaltStack Salt developers have already fixed the problems by releasing versions 2019.2.4 and 3000.2, but F-Secure researchers noted that more than 6,000 potentially vulnerable systems are available on the network, and all of them may not have time to update on time.