F-Secure researchers have discovered two vulnerabilities earlier this March and disclosed on Thursday. SaltStack released a patch (version 3000.2) addressing the issues, rated with CVSS score 10 after the disclosure. The two vulnerabilities affect thousands of data centers.
SaltStack’s open-source Salt project offers a configuration tool to manage servers in datacenters and cloud environments. According to F-Secure, the vulnerabilities allocated CVE ids CVE-2020-11651 and CVE-2020-1165 are of two different classes. F-Secure describes these two vulnerabilities as:
“One being authentication bypass where functionality was unintentionally exposed to unauthenticated network clients, the other being directory traversal where untrusted input (i.e. parameters in network requests) was not sanitized correctly allowing unconstrained access to the entire filesystem of the master server.”
These two bugs, authentication bypass vulnerability and directory traversal vulnerability, allow an attacker who can connect to the “request server” port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the “master” server filesystem and steal the secret key used to authenticate to the master as root.
Salt uses ZeroMQ as a communication protocol. The master exposes two ZeroMQ instances, including request server and publish server. According to F-Secure researchers, the pair of flaws reside within the tool’s ZeroMQ protocol.
“The vulnerabilities described in this advisory allow an attacker who can connect to the ‘request server’ port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the ‘master’ server filesystem and steal the secret key used to authenticate to the master as root. The impact is full remote command execution as root on both the master and all minions that connect to it.”
This means that an attacker can exploit the flaws to call administrative commands on the master server while queue messages directly on the master publish server.