View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 30, 2020updated 11 Jul 2022 6:35am

Critical Vulnerability in Data Centre Configuration Tool Gives “Full Remote Command Execution as Root

Full remote command execution as root

By CBR Staff Writer

Two critical vulnerabilities in the software of the open source Salt project have been awarded the highest possible CVSS score of 10 — with security company F-Secure today warning that “we expect that any competent hacker will be able to create 100 percent reliable exploits for these issues in under 24 hours.”

The “Salt” management framework by the company SaltStack is widely used as a configuration tool to manage servers in data centres, including in cloud environments. The vulnerabilities, in Salt master versions 3001 and earlier, were patched yesterday by SaltStack, but F-Secure has warned that over 6,000 instances of this service are exposed to the public Internet and likely not configured to automatically update the salt software packages.

Salt Vulnerability: What’s Happened?

The vulnerabilities described in this advisory allow an attacker who can connect to the “request server” port to bypass all authentication and authorisation controls, ultimately gaining full remote command execution as root.

The vulnerabilities have been allocated  CVE-2020-11651 and CVE-2020-11652.

One is an authentication bypass where functionality was unintentionally exposed to unauthenticated network clients The other is a directory traversal where untrusted input (i.e. parameters in network requests) was not sanitised correctly allowing access to the entire filesystem of the master server.

Patches are available for both the latest and the previous major release version is also available, with version number 2019.2.4.

F-Secure said: “Adding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults)… or at least block the wider Internet, would also be prudent as the authentication and authorisation controls provided by Salt are not currently robust enough to be exposed to hostile networks.”

Salt’s guidance already recommends that Salt masters are not connected to the public internet. 6,000 sysadmins have not paid attention or needed that access for whatever reason.

Content from our partners
Sherif Tawfik: The Middle East and Africa are ready to lead on the climate
What to look for in a modern ERP system
How tech leaders can keep energy costs down and meet efficiency goals

F-Secure said it is not releasing a proof-of-concept in order to reduce risk for those slow to patch. The company added: “We will leave exploitation as an exercise for the reader.”

See also: Named: The Top 5 Vulns Behind a Ransomware Surge

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU