Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2020-11651, CVE-2020-11652: Critical Salt Framework Vulnerabilities Exploited in the Wild

Shortly after the public disclosure of critical vulnerabilities in the Salt framework, exploitation attempts were observed, as two open source projects were breached using these flaws

Update 05/04/20: The proof-of-concept section has been updated to reflect the availability of PoC scripts.

Background

On April 30, F-Secure Labs published an advisory for two vulnerabilities in the open-source and commercial Salt management framework, which is used in data centers and cloud environments as a configuration, monitoring, and update tool. Salt utilizes a “master” server that controls agents known as “minions" that collect data for the system and carry out tasks. All versions prior to 2019.2.4 and 3000.2 are vulnerable.

Analysis

CVE-2020-11651 is an authentication bypass in two methods of the ClearFuncs class. The first method, _send_pub(), is unintentionally exposed, allowing an attacker to queue messages on the master server that can be used to cause minion agents to execute arbitrary code. The second method, _prep_auth_info() allows for the remote execution of commands on the master server as an attacker can obtain the “root key,” which is used to authenticate commands on the master server from a local machine.

CVE-2020-11652 is a directory traversal security flaw in the “wheel” module that is used to read and write files. The get_token() method of the salt.tokens.localfs allows for the insertion of “..” path elements, and in turn the reading of files outside of the intended directory. This occurs due to the failure to correctly sanitize the token input parameter, which is used as a filename with the only limitation being that “the file has to be deserializable by salt.payload.Serial.loads().”

Both of these vulnerabilities are exploitable by a remote, unauthenticated attacker. Combining these two vulnerabilities could result in “full remote command execution as root on both the master and all minions that connect to it" and could be used to configure new resources on cloud instances. F-Secure also noted in their advisory that a “scan revealed over 6,000 instances of this service exposed to the public Internet” and that “any competent hacker will be able to create 100 percent reliable exploits for these issues in under 24 hours."

LineageOS breached as active exploitation attempts begin

On May 2, LineageOS, a free and open-source android OS, published a tweet that an attacker used a SaltStack vulnerability to gain access to their infrastructure. LineageOS noted that signing keys, builds and source code were unaffected, but this incident resulted in some downtime. LineageOS says they will continue to update their status here.

On May 3, reports of active exploitation of these vulnerabilities surfaced, with Kevin Breen of Immersive Labs posting to his Twitter feed evidence of attacks against his SaltStack honeypots. Kevin followed up on his original tweet stating that “this was against 3 geographically dispersed honeypots. So its internet-wide scan and exploit“ to run this payload on all of the connected minions rather than the salt master.

Ghost blogging platform breached using these vulnerabilities

On May 3, Ghost, an open-source blogging platform, was a victim of a cyberattack. An investigation was started and is being tracked here. Ghost since confirmed attackers exploited “a critical vulnerability in our server management infrastructure (Saltstack, CVE-2020-11651 CVE-2020-11652)” to breach their systems. They first became aware when the attackers used these vulnerabilities in an attempt to mine cryptocurrency on their servers, resulting in a spike in CPU usage and eventually overloaded their systems.

Proof of concept

F-Secure stated in their advisory they will not be releasing their proof of concept (PoC) for these vulnerabilities. However, several PoC scripts [1, 2, 3, 4] have since been published to GitHub.

Our blog previously referenced a Github gist from Ollie Whitehouse, chief technical officer at NCC Group as a PoC. However, the gist is not a PoC, but rather a list of commands observed post-compromise.

Solution

The SaltStack engineers patched these vulnerabilities in versions 2019.2.4 and 3000.2, which were released on April 29. If it is not possible to patch at this time, it is advised to add “network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider Internet.”

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training