Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1756 salt -- multiple vulnerabilities in salt-master process 18 May 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: salt Publisher: FreeBSD Operating System: FreeBSD Impact/Access: Root Compromise -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-11652 CVE-2020-11651 Reference: ESB-2020.1607.2 ESB-2020.1547 Original Bulletin: http://www.vuxml.org/freebsd/6bf55af9-973b-11ea-9f2c-38d547003487.html - --------------------------BEGIN INCLUDED TEXT-------------------- salt -- multiple vulnerabilities in salt-master process Affected packages py27-salt < 2019.2.4 3000 <= py27-salt < 3000.2 py32-salt < 2019.2.4 3000 <= py32-salt < 3000.2 py33-salt < 2019.2.4 3000 <= py33-salt < 3000.2 py34-salt < 2019.2.4 3000 <= py34-salt < 3000.2 py35-salt < 2019.2.4 3000 <= py35-salt < 3000.2 py36-salt < 2019.2.4 3000 <= py36-salt < 3000.2 py37-salt < 2019.2.4 3000 <= py37-salt < 3000.2 py38-salt < 2019.2.4 3000 <= py38-salt < 3000.2 Details VuXML ID 6bf55af9-973b-11ea-9f2c-38d547003487 Discovery 2020-04-30 Entry 2020-05-16 F-Secure reports: CVE-2020-11651 - Authentication bypass vulnerabilities The ClearFuncs class processes unauthenticated requests and unintentionally exposes the _send_pub() method, which can be used to queue messages directly on the master publish server. Such messages can be used to trigger minions to run arbitrary commands as root. The ClearFuncs class also exposes the method _prep_auth_info(), which returns the "root key" used to authenticate commands from the local root user on the master server. This "root key" can then be used to remotely call administrative commands on the master server. This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master. CVE-2020-11652 - Directory traversal vulnerabilities The wheel module contains commands used to read and write files under specific directory paths. The inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction. The get_token() method of the salt.tokens.localfs class (which is exposed to unauthenticated requests by the ClearFuncs class) fails to sanitize the token input parameter which is then used as a filename, allowing insertion of ".." path elements and thus reading of files outside of the intended directory. The only restriction is that the file has to be deserializable by salt.payload.Serial.loads(). [source] References CVE CVE-2020-11651 Name CVE CVE-2020-11652 Name URL https://blog.f-secure.com/ new-vulnerabilities-make-exposed-salt-hosts-easy-targets/ URL https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html URL https://labs.f-secure.com/advisories/saltstack-authorization-bypass URL https://nvd.nist.gov/vuln/detail/CVE-2020-11651 URL https://nvd.nist.gov/vuln/detail/CVE-2020-11652 URL https://www.tenable.com/blog/ cve-2020-11651-cve-2020-11652-critical-salt-framework-vulnerabilities-exploited-in-the-wild - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXsIRL+NLKJtyKPYoAQhlOg//XifCWXFWUrRE4buQKA1kRDkK1Aizk9DO MY4NxK/ZGOoC3mA0nnV0P7tW7+RTa3iNfHg2XtwIqbCl3ILa2M6CL7zDVA9WeQnZ x1FOkAME80Evdhyl41TQ5PmJLTLqxEY+fQ2hUqhDucrKP46iSRjMZ5eSovQVrUQd 5e6EcOvcwoBWdJKYe+FmdMa6tyxjxk09xB77z4MP1vvWgunwAun9IP6t4Sufldrg 8qNtCcWSDQIICr4SEPI4x8WzcXfalPc27yeb24R2eAwz3dPdYcWdtGGscqHTTLVg Xg3toaE3zisxQl3IFgyzOirbjmKK0ri1p5ZGwefvfJGUYXM3eWzcFeHNOun2iguH ks1vF4o1PesSiB2G00jKfI3FMJ0M8vsEA3m/ycEE0cKm8xJqipAYYqpjB5R3Cdyk WOXrBOYyjxzQydm4IEATkdoQbp5OBV+0cL0SGyrXscEPb1vGETyvvcflr5pMZiM9 Oit9qMDbjAuVGFWPvK+Ke9PqYr88oUrWElVmWZy9VzFJS9U2vl6DCsmsOEXqvVtE oj0QLksspWIFMdYqdteCD2zoyHMSLleak8eRjV9+ASpacXA572qL2h3+PbUpjQ1/ St7jGmnM5lJzHDkGRjtCLhSqd7zNWBr2vOaugB1D0gYddBwDRlX2HyIGR74HKn4m 4uITEqMFpXU= =lMkZ -----END PGP SIGNATURE-----