Today We have a new customer. He asked us to review his server slow. There was a strange process with name “salt-minion” which was not a part of the salt-minion which was installed on the customer server. Also, it wasn’t a part of the server software or customer software. So, it was killed and salt software upgraded and malware of full system was started.
How to indicate it:
It start processes with name “salt-minion” or “salt-store”. Also, it creates 2 files on filesystem with names “/tmp/salt-minions”, “/var/tmp/salt-store” , “/tmp/salt-store” and “/var/tmp/salt-store”.
How to stop it:
service salt-minion stop rm -rf /var/tmp/salt-store rm -rf /var/tmp/salt-minions rm -rf /tmp/salt-store rm -rf /tmp/salt-minions pgrep salt-minion| xargs kill -9 pgrep salt-store| xargs kill -9
What do We know about this salt vulnerability:
The vulnerabilities allow a remote attacker who connects to the request server can bypass all authentication mechanisms and publish arbitrary control messages, read and write files anywhere on the master file system.
Attackers can steal the secret keys and authenticate as a master user. As a result of the “execution any command remotely as root on both the master and all minions that connect to it.”
CVE’s related to this issue:
CVE-2020-11651 – Resides in ClearFuncs class that does not properly validate method calls, which allows attackers to retrieve user tokens. CVE-2020-11652 – The ClearFuncs allow access to some methods due to improper sanitization, it allows arbitrary directory access to authenticated users.
For now, patches already ready and you can get it by link https://community.saltstack.com/blog/active-saltstack-cve-critical-updates/
In conclusion, want to say only one thing – don’t keep port open to the world and keep your software up-to-date.
You can find more salt manuals https://linuxnotes.org/category/salt-manuals/
You can find more vulnerabilities by link https://linuxnotes.org/category/vulnerabilities/
Viva La Linux!