Dangerous vulnerabilities in SaltStack configuration management system

In new releases of the centralized configuration management system SaltStack 3002.5 , 3001.6 and 3000.8 fixed vulnerability (CVE-2020-28243 ) which allows an unprivileged local user on a host to escalate its privileges on a system. The problem is caused by an error in the salt-minion handler used to receive commands from the central server … The vulnerability was discovered in November but has only now been fixed.

When performing the “restartcheck” operation, it is possible to substitute arbitrary commands by manipulating the process name. In particular, the request for the presence of a package was carried out by starting the package manager with an argument obtained based on the process name. The batch manager is started by calling the popen function in shell startup mode, but without escaping special characters. By changing the process name and using symbols like “;” and “|” you can organize the execution of your code.

In addition to the noted issue, 9 vulnerabilities have been fixed in SaltStack 3002.5 :

  • CVE-2021-25281 – due to the lack of proper authorization, a remote attacker can launch any wheel module on the side of the managing master server through a call to SaltAPI and compromise the entire infrastructure.
  • CVE-2021-3197 – a problem in the SSH module for minion, which allows you to execute arbitrary shell commands by substituting an argument with the “ProxyCommand” setting or passing ssh_options via the API.
  • CVE-2021-25282 – unauthorized access to wheel_async allows using SaltAPI to rewrite a file outside the base directory and execute arbitrary code on the system.
  • CVE-2021-25283 – going outside the base directory in the wheel.pillar_roots.write handler in SaltAPI allows you to add a custom template to the jinja renderer.
  • CVE-2021-25284 – passwords set via webutils settled in clear text in the log / var / log / salt / minion.
  • CVE-2021-3148 – the ability to substitute commands via SaltAPI call salt.utils.thin.gen_thin ().
  • CVE-2020-35662 – no SSL certificate validation in default configuration.
  • CVE-2021-3144 – the ability to use eauth authentication tokens after their expiration date.
  • CVE-2020-28972 – the server’s SSL / TLS certificate was not verified in the code, which allowed for MITM attacks.
/Media reports.