New vulnerabilities make exposed Salt hosts easy targets
Helsinki, Finland – April 30, 2020: “Patch by Friday or compromised by Monday,” warns F-Secure Principal Consultant Olle Segerdahl. “That’s how I’d describe the dilemma facing admins who have their Salt master hosts exposed to the internet.”
Segerdahl's warning is a reference to new Salt vulnerabilities (CVE-2020-11651 and CVE-2020-11652) disclosed earlier today in an F-Secure Labs advisory. Salt is open-source software that organizations use to maintain data centers and cloud environments. It’s also part SaltStack’s infrastructure, network, and security automation solutions. SaltStack issued patches (versions 3000.2 and 2019.2.4) for the vulnerabilities yesterday.
Segerdahl and his team discovered the vulnerabilities during a regular client engagement and flagged them to SaltStack in mid-March. Attackers can exploit the vulnerabilities to bypass the authentication and authorization controls used to regulate access to Salt implementations (which consist of a “master” server and any number of “minion” agents that carry out tasks and collect data for the system). By exploiting these vulnerabilities, an attacker can execute code remotely with root privileges on the master, and consequentially, all the minions that connect to it.
Attackers could simply use the master and its minions (which could amount to hundreds of servers) to mine cryptocurrencies. But skilled attackers can engage in more high impact attacks. For example, they may start by installing backdoors to let them explore the network. Then, they can move to stealing confidential data, extortion (either through ransomware or threatening to leak sensitive information), or a variety of other attacks tailored to their specific target and objectives.
Vulnerabilities don’t get much worse. As F-Secure Chief Research Officer Mikko Hypponen tweeted earlier in the week, they were given a 10 in the Common Vulnerability Scoring System. That’s the highest severity rating possible. It’s only given out for vulnerabilities deemed critical by the National Vulnerability Database.
However, what’s really concerning Olle is the 6000 Salt masters he discovered on the internet while doing his research, which he says are very popular in cloud environments like AWS and GCP.
“I was expecting the number to be a lot lower. There’s not many reasons to expose infrastructure management systems, which is what a lot of companies use Salt for, to the internet,” says Segerdahl. “When new vulnerabilities go public, attackers always race to exploit exposed, vulnerable hosts before admins patch or hide them. So if I were running one of these 6000 masters, I wouldn’t feel comfortable leaving work for the weekend knowing it’s a target.”
The vulnerabilities affect Salt version 3000.1 and earlier, which basically covers all Salt implementations in use before SaltStack’s update. And while attackers will have a more difficult time reaching hosts hidden from the internet, they can still exploit them by accessing corporate networks in other ways first.Segerdahl recommends organizations use SaltStack’s auto-update capabilities to make sure they receive this and future patches as quickly as possible. He also suggests companies with exposed Salt hosts use additional controls to restrict access to Salt master ports (4505 and 4506 on default configurations), or at least block the hosts off from the open internet. SaltStack has additional guidance on hardening Salt implementations on their websiteOn a positive note, F-Secure has no evidence or reports of anyone exploiting these vulnerabilities in real attacks.
Furthermore, it’s possible for organizations to detect attacks exploiting these vulnerabilities.
While F-Secure has found no reliable log entries that indicate the attacks Olle researched, concerned organizations can search the master host systems for signs of an intrusion. The Salt master keeps records of scheduled jobs which defenders can search for signs of malicious content or suspicious activity.
More advice on detecting current or previous intrusions using these vulnerabilities, as well as technical details on the vulnerabilities themselves, is available in F-Secure Labs’ advisory.
Head of F-Secure Global Corporate Communications
+49 176 70036664
Nobody has better visibility into real-life cyber attacks than F-Secure. We’re closing the gap between detection and response, utilizing the unmatched threat intelligence of hundreds of our industry’s best technical consultants, millions of devices running our award-winning software, and ceaseless innovations in artificial intelligence. Top banks, airlines, and enterprises trust our commitment to beating the world’s most potent threats. Together with our network of the top channel partners and over 200 service providers, we’re on a mission to make sure everyone has the enterprise-grade cyber security we all need.
Founded in 1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd.