Attackers Exploit Two Vulnerabilities in SaltStack to Publish Arbitrary Control Messages and Much More
CISA has sent warnings to the users regarding two critical vulnerabilities in SaltStack Salt, an open-source remote task and configuration management framework that has been actively exploited by cybercriminals, leaving around thousands of cloud servers across the globe exposed to the threat.
The vulnerabilities that are easy to exploit are of high-severity and researchers have labeled them as particularly ‘dangerous’. It allows attackers to execute code remotely with root privileges on Salt master repositories to carry out a number of commands.
Salt is employed for the configuration, management, and monitoring of servers in cloud environments and data centers. It provides the power of automation as it scans IT systems to find vulnerabilities and then brings automation workflows to remediate them. It gathers real-time data about the state of all the aspects and it employs effective machine learning and industry expertise to examine threats more precisely. In a way, it is used to check installed package versions on all IT systems, look out for vulnerabilities, and then remediate them by installing fixes.
The two vulnerabilities, the first one called CVE-2020-11651 is an authentication bypass flaw and the other one CVE-2020-11652 is a directory transversal flaw, as per the discovery made by F-Secure researchers. The attackers can bypass all authentication and authorization controls by exploiting the vulnerabilities that would allow them to easily connect to the request server. Once the authentication is bypassed, attackers can post arbitrary control messages and make changes in the master server file system. All Salt versions prior to 2019.2.4 and 3000.2 are affected by the vulnerabilities.
Xen Orchestra, an effective all in one user-friendly web-based management service became the latest victim of cybercriminals involved in the exploitation of the two high-severity vulnerabilities in Salt. The attackers ran a cryptominer on the firm’s virtual machines (VMs), it has been noticed by the company on the 3rd of May as various services on their infrastructure became inaccessible.
While commenting on the matter, Olivier Lambert, Xen Orchestra’s founder, said, “A coin mining script ran on some of our VMs, and we were lucky nothing bad happened to us – no RPMs affected and no evidence that private customer data, passwords or other information have been compromised. GPG signing keys were not on any affected VMs. We don’t store any credit card information nor plain text credentials. Lesson learned…”
“In short, we were caught in a storm affecting a lot of people. We all have something in common: we underestimated the risk of having the Salt master accessible from outside,” he added. “Luckily, the initial attack payload was really dumb and not dangerous. We are aware it might have been far more dangerous and we take it seriously as a big warning. The malware world is evolving really fast: having an auto-update for our management software wasn’t enough.”
“If you are running SaltStack in your own infrastructure, please be very careful. Newer payloads could be far more dangerous,” warned Lambert.