BlueTeam CheatSheet * CVE-2020-11651 * SaltStack | Last updated: 2020-06-03 0938 UTC

20200504-TLP-WHITE_SaltStack_CVE-2020-11651.md

CVE-2020-11651 AKA SaltStack RCE

• Currently no cool name, what are you doing @GossiTheDog ? ;)

General

• A critical vulnerability have been discovered by FSECURE Labs team in the SaltStack product.
• The vulnerability is a Remote Code Execution with the higher CVSS number possible 10/10 and the CVE number is CVE-2020-11651.
• there's also another vulnerability referenced under the CVE-2020-11652, discovered in the same time also per FSECURE.
• The vulnerability is actively exploited (Some says since Saturday morning 2020-05-02) and several exploits are in the wild.
• We currently knows at least 5 victims, even big names are concerned.
• This is not a drill or something you can patch later, act now.
• Note: due to a typofail, there's a problem with the new release, we recommend to modifiy the typo fail in the code when updated:
  • Part of the fix for CVE-2020-11651 added better validation of the methods allowed to be called by remote clients.
  • Both AESFuncs and ClearFuncs now have an explicit list of methods that can be called.
  • The name of one of these whitlisted methods on AESFuncs had a typo.
  • The _minion_runner method should be minion_runner (without the underscore prefix).
  • This typo breaks the publish module’s runner method.
  • Calling runners will not work, and you will receive and empty reply from the salt master.
  • This will be addressed in the Sodium release of Salt set for mid-June 2020.

Affected products and versions:

• SaltStack Salt
  • All before 2019.2.4
  • All before 3000.2

Patches

• Patches available !
• Even for the unsupported versions (Nice move SaltStack) Request them here

VMware

VMware vRealize Operations

• Affected, check the VMSA for details regarding the pssible mitigations available
• VMware Security advisory VMSA-2020-0009

Exploit status

• RCE available publicly
• Actively exploited, several victims
• Used to mining crypto currencies, implant backdoors and RAT AFAIK

Vulnerability details

Authentication bypass vulnerabilities (CVE-2020-11651)

• The ClearFuncs class processes unauthenticated requests and unintentionally exposes the _send_pub() method, which can be used to queue messages directly on the master publish server.
• Such messages can be used to trigger minions to run arbitrary commands as root.
• The ClearFuncs class also exposes the method _prep_auth_info(), which returns the "root key" used to authenticate commands from the local root user on the master server.
• This "root key" can then be used to remotely call administrative commands on the master server.
• This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master.

Directory traversal vulnerabilities (CVE-2020-11652)

• The wheel module contains commands used to read and write files under specific directory paths.
• The inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction.
• The get_token() method of the salt.tokens.localfs class (which is exposed to unauthenticated requests by the ClearFuncs class) fails to sanitize the token input parameter which is then used as a filename, allowing insertion of ".." path elements and thus reading of files outside of the intended directory.
• The only restriction is that the file has to be deserializable by salt.payload.Serial.loads().

More

• Check FSECURE blogpost and advisory:
  • FSECURE Secure Advisory
  • FSECURE BLOGPOST

Detection

FSECURE

• Exploitation of the authentication vulnerabilities will result in the ASCII strings "_prep_auth_info" or "_send_pub" appearing in data sent to the request server port (default 4506). These strings should not appear in normal, benign, traffic.
• Published messages to minions are called "jobs" and will be saved on the master (default path /var/cache/salt/master/jobs/).
• These saved jobs can be audited for malicious content or job ids ("jids") that look out of the ordinary. Lack of suspicious jobs should not be interpreted as absence of exploitation however.

SNORT

• 2030071 - ET EXPLOIT Possible Saltstack Authentication Bypass CVE-2020-11651 M1 (exploit.rules)
• 2030072 - ET EXPLOIT Possible SaltStack Authentication Bypass CVE-2020-11651 M2 (exploit.rules)

Script from rossengeorgiev

• Script to check if you are vulnerable to this CVE

Mitigation

• You can add some IPTABLES restrictions, if you know your minions IPs, on the Saltstack server interfaces listening (default ports: 4505 & 4506)

Post-compromise

• An interesting tool is published by Daniel Wozniak to regenerates your compromised keys

• Tool SALT-REKEY

• BEWARE: Read carefully the code, some minions will be unable to reconnect if they're not connected during the process.

Sources:

FSECURE (Primary Source)

• FSECURE Secure Advisory
• FSECURE BLOGPOST

SaltStack

• SaltStack Release Notes
  • Branch SALT 2019 RELEASE NOTES
  • BRANCH SALT 3000 RELEASE NOTES
• Community Security Advisory
• Community Message

OpenSUSE

• Security update for salt

OpenBSD

• GitHub commit

DEBIAN

• DEBIAN Salt Package vulnerability
• DEBIAN Salt Package vulnerability Security Advisory

Huawei Cloud

• Security anouncment SA

OpenMediaVault (OMV)

• Discussion

Tencent

• Tencent blog post, contains IOCs

Cisco

• Cisco Security Advisory

NVD

• NVD entry

Errors, typos, something to say ?

• Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak