Does your organization use the SaltStack “Salt” framework to configure and manage your servers? If so, now is the time to make sure that none of your Salt master servers are exposed to the public Internet and that all servers are updated with the latest patches.
On April 30, security researchers at F-Secure disclosed two new vulnerabilities they discovered for SaltStack. Within the Salt framework, each server has an installed agent, known as a “minion,” that connects back to a “master” Salt server that collects information from each minion. Master servers can also push messages to change configuration settings or execute commands across multiple minion systems asynchronously.
The vulnerability CVE-2020-11651 allows attackers to bypass authentication, and CVE-2020-11652 allows directory traversal and access to the entire file system of the master server. Ultimately, these vulnerabilities allow attackers to execute a full remote command execution on both the master Salt agent and the minions connected to it.
Unfortunately, these vulnerabilities are easy for an attacker to exploit if the Salt master server is exposed. Expanse recommends that Salt servers never be exposed to the public Internet, as bad actors can scan the entire Internet for every exposed Salt server (or any other exposed port/protocol pair) in under an hour. While F-Secure did not release a Proof-of-Concept (PoC) exploit, others quickly did on GitHub. Algolia, Xen-Orchestra.com, LineageOS, and others have already been the victims of successful attacks.
Expanse has now made it easy for customers to verify that all of their Salt servers are locked down by adding SaltStack as an exposure type within Expander. Customers can easily go into their Expander instance to find any Salt servers that are publicly accessible and then take steps to remove those assets from the Internet and update them with the latest patches (see the SaltStack advisory on patching here). Exposed Salt servers are rare — Expanse found these servers exposed among just 6.5% of our customers. But due to the seriousness of the vulnerabilities, Expanse added Salt server detection to Expander in less than a month following the disclosure of the new vulnerabilities.
If you are a current customer, please reach out to your Engagement Manager to discuss how we can help you identify and secure any exposed Salt servers. And if you’re not a customer, we’re still here to help! Reach out to set up a demo today.