Critical Security Bugs Discovered In Salt Framework By SaltStack

Researchers discovered numerous critical security bugs in SaltStack Salt framework – a configuration tool for cloud servers and data centers. These bugs, when exploited, could allow remote code execution.

SaltStack Salt Framework Bugs

Reportedly, security researchers from F-Secure Labs have found numerous security bugs affecting SaltStack Salt framework.

Salt is a dedicated open-source configuration tool from SaltStack for configuring cloud servers and data centers. The tool seamlessly manages and updates thousands of servers with automation. As described on GitHub,

Salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Briefly, the researchers caught two different types of security bugs in Salt framework. These include CVE-2020-11651 – an authentication bypass vulnerability, and CVE-2020-11652 – directory traversal due to improper sanitization of untrusted input.

Upon exploitation, these bugs could allow an attacker remotely execute arbitrary code on the target systems.

Patches Rolled Out

Upon finding the bugs, F-Secure Labs researchers reached out to the firm SaltStack to inform them of the flaws. Following their report, the vendors patched the vulnerabilities with Salt release 3000.2. Also, a patch for the previous release is also available as version 2019.2.4.

While the patches are available, the researchers have urged all Salt users to update to the latest version of the framework at the earliest. Besides, they also advise configuring the installs to automatically update.

For now, due to the critical nature and ease of exploitation of the bugs, the researchers have not shared any proof of concept yet.

We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours. Due to reliability and simplicity of exploitation, F-Secure will not be providing proof-of-concept exploit code as this would only harm any users who are slow to patch

Though, some details about the vulnerabilities are available in the researchers’ post.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients