FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

salt -- multiple vulnerabilities in salt-master process

Affected packages
py27-salt < 2019.2.4
3000 <= py27-salt < 3000.2
py32-salt < 2019.2.4
3000 <= py32-salt < 3000.2
py33-salt < 2019.2.4
3000 <= py33-salt < 3000.2
py34-salt < 2019.2.4
3000 <= py34-salt < 3000.2
py35-salt < 2019.2.4
3000 <= py35-salt < 3000.2
py36-salt < 2019.2.4
3000 <= py36-salt < 3000.2
py37-salt < 2019.2.4
3000 <= py37-salt < 3000.2
py38-salt < 2019.2.4
3000 <= py38-salt < 3000.2

Details

VuXML ID 6bf55af9-973b-11ea-9f2c-38d547003487
Discovery 2020-04-30
Entry 2020-05-16

F-Secure reports:

CVE-2020-11651 - Authentication bypass vulnerabilities

The ClearFuncs class processes unauthenticated requests and unintentionally exposes the _send_pub() method, which can be used to queue messages directly on the master publish server. Such messages can be used to trigger minions to run arbitrary commands as root.

The ClearFuncs class also exposes the method _prep_auth_info(), which returns the "root key" used to authenticate commands from the local root user on the master server. This "root key" can then be used to remotely call administrative commands on the master server. This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master.

CVE-2020-11652 - Directory traversal vulnerabilities

The wheel module contains commands used to read and write files under specific directory paths. The inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction.

The get_token() method of the salt.tokens.localfs class (which is exposed to unauthenticated requests by the ClearFuncs class) fails to sanitize the token input parameter which is then used as a filename, allowing insertion of ".." path elements and thus reading of files outside of the intended directory. The only restriction is that the file has to be deserializable by salt.payload.Serial.loads().

References

CVE Name CVE-2020-11651
CVE Name CVE-2020-11652
URL https://blog.f-secure.com/new-vulnerabilities-make-exposed-salt-hosts-easy-targets/
URL https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html
URL https://labs.f-secure.com/advisories/saltstack-authorization-bypass
URL https://nvd.nist.gov/vuln/detail/CVE-2020-11651
URL https://nvd.nist.gov/vuln/detail/CVE-2020-11652
URL https://www.tenable.com/blog/cve-2020-11651-cve-2020-11652-critical-salt-framework-vulnerabilities-exploited-in-the-wild