Salt Bugs Allow Full RCE as Root on Cloud Servers

salt security vulnerabilities

Researchers say the bugs are easy to exploit and will likely be weaponized within a day.

The open-source Salt management framework contains high-severity security vulnerabilities that allow full remote code execution as root on servers in data centers and cloud environments. And in-the-wild attacks are expected imminently.

According to F-Secure researchers, the framework, authored by the company SaltStack but also used as an open-source configuration tool to monitor and update the state of servers, has a pair of flaws within its default communications protocol, known as ZeroMQ.

A bug tracked as CVE-2020-11651 is an authentication bypass issue, while CVE-2020-11652 is a directory-traversal flaw where untrusted input (i.e. parameters in network requests) is not sanitized correctly. This in turn allows access to the entire filesystem of the master server, researchers found.

The bugs are especially dangerous given the topography of the Salt framework.

“Each server [managed by Salt] runs an agent called a ‘minion,’ which connects to a ‘master,'” explained F-Secure, in a writeup on Thursday. “[A master is a] Salt installation that collects state reports from minions and publishes update messages that minions can act on.”

These update messages are usually used to change the configuration of a selection of servers, but they can also be used to push out commands to multiple, or even all, of the managed systems, researchers said. An adversary thus can compromise the master in order to send malicious commands to all of the other servers in the cluster, all at the same time.

Lapses in Protocol

To communicate, the master uses two ZeroMQ channels. As F-Secure explained, one is a “request server” where minions can connect to report their status (or the output of commands). The other is a “publish server” where the master publishes messages that the minions can connect and subscribe to.

The authentication bypass can be achieved because the ClearFuncs class processes unauthenticated requests and unintentionally exposes the “_send_pub().” This is the method used to queue messages from the master publish server to the minions – and thus can be used to send arbitrary commands. Such messages can be used to trigger minions to run arbitrary commands as root.

Also, “the ClearFuncs class also exposes the method _prep_auth_info(), which returns the root key used to authenticate commands from the local root user on the master server. This root key can then be used to remotely call administrative commands on the master server. This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master.”

As for the directory traversal, the “wheel” module contains commands used to read and write files under specific directory paths.

“The inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction,” according to the writeup. “The get_token() method of the salt.tokens.localfs class (which is exposed to unauthenticated requests by the ClearFuncs class) fails to sanitize the token input parameter which is then used as a filename, allowing…the reading of files outside of the intended directory.”

The bugs together allow attackers “who can connect to the request server port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the master server filesystem and steal the secret key used to authenticate to the master as root,” according to the firm.

According to the National Vulnerability Database, “The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.”

Exploits in Less Than a Day

F-Secure said that it expects to see attacks in the wild very shortly.

“We expect that any competent hacker will be able to create 100 percent reliable exploits for these issues in under 24 hours,” the researchers said, citing the “reliability and simplicity” of exploitation.

Unfortunately, the firm also said that a preliminary scan has revealed more than 6,000 potentially vulnerable Salt instances exposed to the public internet.

Patches are available in release 3000.2. Also, “adding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks,” F-Secure concluded.

To detect a compromise, ASCII strings “_prep_auth_info” or “_send_pub”  will show up in the request server port data (default 4506).

Also on the detection front, “published messages to minions are called ‘jobs’ and will be saved on the master (default path /var/cache/salt/master/jobs/). These saved jobs can be audited for malicious content or job IDs (‘jids’) that look out of the ordinary,” F-Secure noted.

Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.

Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.


Suggested articles