Salt CVE Critical Updates - 2020-APR-21

Thank you all for your continued support, collaboration and camaraderie as we work together to address these critical CVEs (CVE-2020-11651 and CVE-2020-11652) and ensure your Salt environments are secure. Our combined efforts to get all Salt users patched quickly are making a difference.

This communication provides clarity on a number of key updates. Please take note and act quickly.

We have created and made patches available for a number of Salt releases. Please note, some patches are specific to certain Salt versions and, as noted, some will patch multiple versions. To ensure the patch is effective, verify installation of your version prior to installing any patches.

For extreme clarity, patches are available for the following Salt releases:

• 2015.8.10
• 2016.3.x (patch for all versions of 2016.3)
• 2016.11.0
• 2016.11.1
• 2016.11.2
• 2016.11.3
• 2016.11.4
• 2016.11.5plus (patches 2016.11.5, and newer i.e. 2016.11.6 / 2016.11.7 / 2016.11.8 / 2016.11.9 / 2016.11.10)
• 2017.7.1
• 2017.7.3
• 2017.7.4
• 2017.7.5-plus (patches 2017.7.5 / 2017.7.6 / 2017.7.7 and 2017.7.8)
• 2018.3.x (patch for all versions of 2018.3)
• 2019.2.4
• 3000.2

To receive the patches for versions prior to 2019.2.4, please complete this request form: https://www.saltstack.com/lp/request-patch-april-2020/ Tracking these requests helps ensure that those who are running older versions of Salt receive adequate support and attention.

Following the release of these patches we identified two issues that have been addressed and will be available in new RPM packages and additional patches. The original patches did their job and secured your infrastructure against arbitrary commands running on Salt minions and eliminated the vulnerability. Resolving these additional issues adds an additional level of proofing. Considering collective feedback from the Salt community we deem these two issues as important and will address them via new updates.

How will we make these new updates available?

We have decided to proceed with release packages for 2019.2.5 and 3000.3 that contain fixes to these new issues. The packages will be available Wednesday, May 13, or potentially sooner. The packages will resolve the following issues:

• https://github.com/saltstack/salt/issues/57027
• https://github.com/saltstack/salt/issues/57016

Note: These two new issues (57027 and 57016) have already been addressed in the 2018.x patches. If you are on 2018.x you do not need to take any further action.

Note: If you are running versions 2015.x, 2016.x or 2017.x we have made an additional patch available immediately. To access this additional patch file, please complete this request form: https://www.saltstack.com/lp/request-patch-april-2020/

What about Docker?

We can confirm the Docker images have also been updated and can be found on Docker Hub, as usual.

https://hub.docker.com/repository/docker/saltstack/salt

Proof of Concept repos

There is an important discussion in the Salt community about the CVE Proof of Concept repositories. We are aware of these POC repos. In order to minimize malicious exploits and give our community and customers time to patch their Salt installations, we have requested that those repositories remain private until May 15. We cannot enforce this request but continue to discuss and make the request with POC authors.

We understand this is a split opinion topic and has been for some time amongst ethical hacker and security professionals. We maintain that while seasoned developers view the exploitation as simple to understand/replicate, the risk of propagating knowledge to hackers outweighs the benefit. We thank those who have kindly agreed to delay and understood the importance of minimizing exploits.

Per requests from multiple clients and users we have made an opt-in patch validation service available via this link. Once requested, users will receive a script that they can run locally to perform the validation. If requested, we will also perform a controlled intrusion test that offers additional feedback and assurance to those who ask for and need it.

Communications

On the topic of communications, we have been sending notifications about this CVE over key channels including Slack, IRC, Google Groups mailing lists and our weekly Salt Open Hours. We underestimated the value of social media channels like Twitter and LinkedIn to help get the word out, and have since updated those channels to keep our customers and community abreast of the CVE situation.

We have picked up some key learning from this experience and plan to improve our communication. Specifically:

• Create an opt-in, quarterly maintained mailing list that is only focused on critical announcements and includes no marketing materials
• Turn up the volume on critical Salt dev topics (eg. CVEs) on our social media channels
• Update our release process to further enable transparency on key milestones and key requirements for delivering quality software
• Make it easier to find critical reference documents (e.g. What releases are supported?)

The exploits are evolving rapidly. There are a sequence of actions and best practices all Salt users must take immediately to avoid exploit: 1. Stop Salt 2. Remove Salt from open ports 3. Apply Salt environment hardening best practices such as adding a firewall, applying patches in a timely manner, looking for malicious activities, and rotating keys. Additional insights on rotating keys can be found by clicking here. Please also visit saltexploit.com , you will find latest analysis, hints and tips on the exploits. Sincere thanks to community member Tai Groot for his incredible efforts in making that resource possible.

Please continue to monitor key communication channels to stay abreast and informed about the latest developments.

Finally, since the patches were released, the team has received several FAQs and prepared a technical guide to address these questions. Please click here to access the guide.

If you need help or have any questions, please contact us at saltproject-security.pdl@broadcom.com.

Gratitude

Our sincere thank you to our amazing community for coming together to work through this situation. Special shout out to those who lent their time and expertise to help their peers get access to needed tips and information to update and resolve these issues. Once we are past the moment, we will not miss a chance to publicly applaud all those who made an incredible difference.

Thank you for your trust and support!

Your Salt Core Team