Critical salt-master vulnerability


Today We have a new customer. He asked us to review his server slow. There was a strange process with name “salt-minion” which was not a part of the salt-minion which was installed on the customer server. Also, it wasn’t a part of the server software or customer software. So, it was killed and salt software upgraded and malware of full system was started.

How to indicate it:

It start processes with name “salt-minion” or “salt-store”. Also, it creates 2 files on filesystem with names “/tmp/salt-minions”, “/var/tmp/salt-store” , “/tmp/salt-store” and “/var/tmp/salt-store”.

How to stop it:

service salt-minion stop 

rm -rf /var/tmp/salt-store

 rm -rf /var/tmp/salt-minions 

rm -rf /tmp/salt-store 

rm -rf /tmp/salt-minions 

pgrep salt-minion| xargs kill -9 

pgrep salt-store| xargs kill -9

What do We know about this salt vulnerability:

The vulnerabilities allow a remote attacker who connects to the request server can bypass all authentication mechanisms and publish arbitrary control messages, read and write files anywhere on the master file system.

Attackers can steal the secret keys and authenticate as a master user. As a result of the “execution any command remotely as root on both the master and all minions that connect to it.”

CVE’s related to this issue:

CVE-2020-11651 – Resides in ClearFuncs class that does not properly validate method calls, which allows attackers to retrieve user tokens.

CVE-2020-11652 – The ClearFuncs allow access to some methods due to improper sanitization, it allows arbitrary directory access to authenticated users.

For now, patches already ready and you can get it by link

In conclusion, want to say only one thing – don’t keep port open to the world and keep your software up-to-date.

You can find more salt manuals

You can find more vulnerabilities by link

Viva La Linux!

Leave A Comment