Minion privilege escalation exploit patched in SaltStack Salt project

[mood]

Minion privilege escalation exploit patched in SaltStack Salt project

The bug permitted attackers to perform privilege escalation attacks in the automation software.

 

The Salt Project has patched a privilege escalation bug impacting SaltStack Salt minions that could be used during a wider exploit chain. 

 

 

The vulnerability, CVE-2020-28243, is described as a privilege escalation bug impacting SaltStack Salt minions allowing "an unprivileged user to create files in any non-blacklisted directory via a command injection in a process name." 

 

The bug has been given a severity rating of 7.0 and impacts Salt versions before 3002.5.

 

SaltStack's Salt is an open source project and software designed for automation and infrastructure management. 

 

In November, Immersive Labs' security researcher Matthew Rollings performed a scan on the tool using Bandit, a Python application security scanner, and came across the bug as a result. 

 

Salt includes a master system and minions, of which the latter facilitates commands sent to the master, and both often run as root. Rollings discovered a command injection vulnerability in minions when the master system summons a process called restartcheck. Exploits can be triggered if attackers use crafted process names, permitting local users to escalate their privileges on root -- as long as they are able to create files on a minion in a non-forbidden directory. 

 

With further investigation, the researcher noted it may also be possible to perform container escapes, including performing the exploit "within a container to gain command execution as root on the host machine."

 

In addition, Rollings said the vulnerability "may be performed by an attacker without local shell access, [and] under certain circumstances, remote users can influence process names." However, this form of attack is considered "unlikely" and could be difficult to trigger. 

 

The Salt Project resolved the vulnerability in a February security release. The group also patched other high-impact bugs including CVE-2021-3197, a shell injection flaw in Salt-API's SSH client; CVE-2021-25281, an eAuth security issue that could allow remote attackers to run any wheel modules on the master, and CVE-2021-25283, a failure to protect against server-side template injection attacks. 

 

ZDNet has reached out to the Salt Project and will update when we hear back. 

 

 

Source: Minion privilege escalation exploit patched in SaltStack Salt project

[mood]

Proof of concept code published for latest Saltstack CVE: Don't be an update laggard

Any user could become root, warns Immersive Labs researcher

 

Proof of concept code has been published for a vulnerability in popular data centre security management tool Saltstack, which was discovered after a developer at Immersive Labs found a privilege escalation bug allowing any old user to become root.

 

SaltStack offers open-source, Python-based automation tools and was acquired by VMware in October last year.

 

The latest CVE is a command injection flaw leading to the priv-esc flaw, according to Immersive Labs, whose Matt Rollings found the vuln.

 

Numbered CVE-2020-28243, the bug has a CVSSv3.0 rating of 7.0. Not only does it affect all versions of Salt between 2016.3.0rc2 and 3002.2, but it also “could be performed from within a container to gain command execution as root on the host machine,” as Rollings warned.

 

“This allowed any local user to escalate their privileges to root, provided they were able to create files on the minion in a directory that was not explicitly forbidden,” wrote Rollings in a blog post with his findings.

 

Salt runs through a master-minion setup. Minions receive and execute commands from the master Salt device, which is a server that issues commands to the minions connected to it.

 

Minions occasionally summon a process called restartcheck. Crafted process names could be fed to restartcheck. This can be done “when the process has open file descriptors associated with (deleted) at the end of a filename” as Rollings warned, adding: “Note, the leading space is required for the injection to function.”

 

The Salt Project itself patched the vuln in February, at the time warning: “In the recent past, we have gone above and beyond our lifecycle policy in good faith to fix critical issues in versions no longer supported. Going forward, this will be the exception and not standard practice.”

 

Proof of concept code for the exploit has also been published on Github, meaning orgs using Saltstack really should update it immediately if they haven’t already done so.

 

 

Source: Proof of concept code published for latest Saltstack CVE: Don't be an update laggard