Alert Logic® is actively investigating new vulnerabilities in the open-source Salt management framework – CVE-2020-11651 and CVE-2020-11652. These vulnerabilities allow full remote code execution as root on servers in data centers and cloud environments. Exploit code has been released into the public domain, and we have observed attacks against our customer base using these vulnerabilities.
Customers running versions of SaltStack before version 3000.2 (released April 29, 2020) may be affected by this vulnerability. It is recommended to update to version 3000.2 to mitigate this vulnerability. For more information about patches and other mitigation options, refer to the Recommendations for Mitigation section in this article.
CVE-2020-11651 is an authentication bypass where functionality is unintentionally exposed to unauthenticated network clients. CVE-2020-11652 is a directory traversal vulnerability where untrusted input is not sanitized correctly, allowing unconstrained access to the entire filesystem of the master server. Both vulnerabilities allow an attacker to remotely control victim hosts and execute code, install persistence, and laterally move throughout the network.
Alert Logic Coverage
Vulnerability Scanning: Alert Logic has developed authenticated and unauthenticated vulnerability scan coverage to identify vulnerable assets.
Network IDS: Alert Logic is currently deploying telemetry signatures and specific signatures to enable monitoring by the Alert Logic Security Operations Center.
Web Application Firewall: The nature of this attack does not allow it to be detected by web application firewalls since it is not HTTP-based.
Log Management: At this time, it is not expected that log detection is appropriate for this threat; however, Alert Logic will continue this assessment.
Recommendations for Mitigation
SaltStack patched these vulnerabilities in release 3000.2. Users of Salt are encouraged to make sure that their installs are configured to automatically pull updates from the SaltStack repository server. A patch release for the previous major release version is also available, with version number 2019.2.4.
It is also recommended to consider adding network security controls that restrict inbound ZeroMQ traffic to the Salt master (ports 4505 and 4506). Refer to hardening tips from SaltStack for more information.
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click the FOLLOW button at the top of the article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.
05/05/2020: Unauthenticated vulnerability scan coverage is now available to identify vulnerable assets without credentials.