Multiple Vulnerabilities in SaltStack Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2020-058
Date(s) Issued: 
Monday, May 4, 2020
Subject: 
Multiple Vulnerabilities in SaltStack Could Allow for Arbitrary Code Execution
Overview: 

OVERVIEW:

Multiple vulnerabilities have been discovered in SaltStack, the most severe of which could allow for arbitrary code execution. Salt is an open-source remote task and configuration management framework widely used in data centers and cloud servers. Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

 

THREAT INTELLIGENCE:

There are no reports of these vulnerabilities being exploited in the wild.

Systems Affected: 
  • SaltStack Salt versions prior to 2019.2.4
  • SaltStack Salt 3000 versions prior to 3000.2
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in SaltStack, the most severe of which could allow for arbitrary code execution. The vulnerabilities are as follows:

 

  • Improper method call validation that could allow for Arbitrary Code Execution. (CVE-2020-11651)
  • Improper method path sanitization that could allow for Arbitrary Directory Access. (CVE-2020-11652)

 

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution on Salt minions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Actions: 
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • After appropriate testing, immediately apply updates provided by SaltStack to affected systems.
  • Apply the Principle of Least Privilege to all systems and services.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products. 
References: 

SaltStack:

https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html

https://docs.saltstack.com/en/latest/topics/releases/3000.2.html

 

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11652

Office of Information Technology Services

Other Information

Language Access

Register to Vote

Sign up online or download and mail your application. Register Now