CVE-2020-11651, CVE-2020-11652: Critical Salt Framework Vulnerabilities Exploited in the Wild

Shortly after the public disclosure of critical vulnerabilities in the Salt framework, exploitation attempts were observed, as two open source projects were breached using these flaws

Update 05/04/20: The proof-of-concept section has been updated to reflect the availability of PoC scripts.

Background

On April 30, F-Secure Labs published an advisory for two vulnerabilities in the open-source and commercial Salt management framework, which is used in data centers and cloud environments as a configuration, monitoring, and update tool. Salt utilizes a “master” server that controls agents known as “minions" that collect data for the system and carry out tasks. All versions prior to 2019.2.4 and 3000.2 are vulnerable.

Analysis

CVE-2020-11651 is an authentication bypass in two methods of the ClearFuncs class. The first method, _send_pub(), is unintentionally exposed, allowing an attacker to queue messages on the master server that can be used to cause minion agents to execute arbitrary code. The second method, _prep_auth_info() allows for the remote execution of commands on the master server as an attacker can obtain the “root key,” which is used to authenticate commands on the master server from a local machine.

CVE-2020-11652 is a directory traversal security flaw in the “wheel” module that is used to read and write files. The get_token() method of the salt.tokens.localfs allows for the insertion of “..” path elements, and in turn the reading of files outside of the intended directory. This occurs due to the failure to correctly sanitize the token input parameter, which is used as a filename with the only limitation being that “the file has to be deserializable by salt.payload.Serial.loads().”

Both of these vulnerabilities are exploitable by a remote, unauthenticated attacker. Combining these two vulnerabilities could result in “full remote command execution as root on both the master and all minions that connect to it" and could be used to configure new resources on cloud instances. F-Secure also noted in their advisory that a “scan revealed over 6,000 instances of this service exposed to the public Internet” and that “any competent hacker will be able to create 100 percent reliable exploits for these issues in under 24 hours."

LineageOS breached as active exploitation attempts begin

On May 2, LineageOS, a free and open-source android OS, published a tweet that an attacker used a SaltStack vulnerability to gain access to their infrastructure. LineageOS noted that signing keys, builds and source code were unaffected, but this incident resulted in some downtime. LineageOS says they will continue to update their status here.

Around 8PM PST on May 2nd, 2020 an attacker used a CVE in our saltstack master to gain access to our infrastructure.

We are able to verify that:
- Signing keys are unaffected.
- Builds are unaffected.
- Source code is unaffected.

See https://t.co/85fvp6Gj2h for more info.

— LineageOS (@LineageAndroid) May 3, 2020

On May 3, reports of active exploitation of these vulnerabilities surfaced, with Kevin Breen of Immersive Labs posting to his Twitter feed evidence of attacks against his SaltStack honeypots. Kevin followed up on his original tweet stating that “this was against 3 geographically dispersed honeypots. So its internet-wide scan and exploit“ to run this payload on all of the connected minions rather than the salt master.

Seeing active exploit attempts for CVE-2020-11651 in the wild @SaltStack @FSecureLabs pic.twitter.com/4v1zN8q3Ux

— KevTheHermit (@KevTheHermit) May 3, 2020

Ghost blogging platform breached using these vulnerabilities

On May 3, Ghost, an open-source blogging platform, was a victim of a cyberattack. An investigation was started and is being tracked here. Ghost since confirmed attackers exploited “a critical vulnerability in our server management infrastructure (Saltstack, CVE-2020-11651 CVE-2020-11652)” to breach their systems. They first became aware when the attackers used these vulnerabilities in an attempt to mine cryptocurrency on their servers, resulting in a spike in CPU usage and eventually overloaded their systems.

Hey there!

Unfortunately some sites on Ghost(Pro) are currently having problems due a critical security vulnerability which is affecting many services around the world today.

We're working as quickly as we can to resolve it, and sharing updates here:https://t.co/0rnXw9Ux6d

— Ghost (@Ghost) May 3, 2020

Proof of concept

F-Secure stated in their advisory they will not be releasing their proof of concept (PoC) for these vulnerabilities. However, several PoC scripts [1, 2, 3, 4] have since been published to GitHub.

Our blog previously referenced a Github gist from Ollie Whitehouse, chief technical officer at NCC Group as a PoC. However, the gist is not a PoC, but rather a list of commands observed post-compromise.

Solution

The SaltStack engineers patched these vulnerabilities in versions 2019.2.4 and 3000.2, which were released on April 29. If it is not possible to patch at this time, it is advised to add “network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider Internet.”

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here.

Get more information

• F-Secure Advisory for CVE-2020-11651, CVE-2020-11652
• Ollie Whitehouse Github gist for Salt Stack vulnerabilities

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.