Saltproject IO

Active Salt CVE Release 2021-FEB-25

The Salt Project has released a security update to address 10 vulnerabilities with severity rating Medium to High. We strongly recommend prioritizing this update.

This is a security release. In the recent past, we have gone above and beyond our lifecycle policy in good faith to fix critical issues in versions no longer supported. Going forward, this will be the exception and not standard practice. We will follow our stated lifecycle policy found on the Salt Project Lifecycle Support page.

The following CVEs were fixed as part of this release:

CVE Details

NOTE: The CVSS ratings listed below use Access Complexity “High” in case the issue cannot be exploited in a default configuration. See the CVSS Calculator for more information.

CVE-2021-3197

  • Impact: The SaltAPI with the SSH module installed and running on the minion. This module is not running by default.
  • Description: The Salt-API’s SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.
  • Solution: Filters out ProxyCommand from arguments passed via the CLI or netapi
  • How to Mitigate: Update to the latest Salt release, package or patch file
  • Attribution: Reported by Daniel Jensen - @dozernz
  • Severity Rating: 7.0 High

CVE-2021-25281

  • Impact: The SaltAPI does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
  • Description: The Salt-API does not have eAuth credentials for the wheel_async client
  • Solution: Honor (enforce) eauth credentials for wheel_async calls
  • How to Mitigate: Update to the latest Salt release, package or patch file
  • Attribution: 1mperio@Tencent Yunding Security Lab and Daniel Jensen @dozernz
  • Severity Rating: 8.1 High

CVE-2021-25282

  • Impact: Unauthorized access wheel_async through salt-api can execute arbitrarily code/command.
  • Description: The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.
  • Solution: Fix directory traversal in wheel.pillar_roots.write
  • How to Mitigate: Update to the latest Salt release, packages or patch file
  • Attribution: 1mperio@Tencent Yunding Security Lab and Daniel Jensen @dozernz
  • Severity Rating: 5.1 Medium

CVE-2021-25283

  • Impact: Via the SaltAPI fix directory traversal in wheel.pillar_roots.write
  • Description: The jinja renderer does not protect against server-side template injection attacks.
  • Solution: We enabled the jinja renderer safe mode as a default in Salt
  • How to Mitigate: Update to the latest Salt release, package or patch file
  • Attribution: 1mperio@Tencent Yunding Security Lab
  • Severity Rating: 8.1 High

CVE-2021-25284

  • Impact: Run a highstate against a machine which doesn’t already have the htpasswd file created and errors are reported but the state is applied, correctly. This issue is not present in a default configuration of Salt.
  • Description: webutils write passwords in cleartext to /var/log/salt/minion
  • Solution: Previously, cmdmod might log passwords to info and error levels; now, cmdmod will only log the command name, not the full command
  • How to Mitigate: Update to the latest Salt release, package or patch file
  • Attribution: Reported by Carlos https://github.com/nzlosh
  • Severity Rating: 4.1 Medium

CVE-2021-3148

  • Impact: Via the SaltAPI a command is constructed from formatted string and can be truncated if there are single quotes in extra_mods, since json.dumps() escapes double quotes while leaving the single quotes untouched.
  • Description: command injection in salt.utils.thin.gen_thin()
  • Solution: Remove shell usage in thin utils
  • How to Mitigate: Update to the latest version of Salt via packages or patch files
  • Attribution: Reported by Ruikai Lui lrk700@gmail.com
  • Severity Rating: 6.8 Medium

CVE-2020-35662

  • Impact: SSL cert not verified by default
  • Description: Several places where Salt was not verifying the SSL cert by default
  • Solution: Now, SSL cert is verified by default
  • How to Mitigate: Update the minion to the latest release, package or patch file
  • Severity Rating: 7.4 High

CVE-2021-3144

  • Impact: eauth tokens can be used once after expiration
  • Description: Token can be used once after expiration
  • Solution: Method returns empty dictionary if token is expired
  • How to Mitigate: Update to the latest Salt release, package or patch file
  • Attribution: Reported by Ken Crowell https://github.com/oeuftete
  • Severity Rating: 7.4 High

CVE-2020-28972

  • Impact: Code base not validating SSL/TLS certificate of the server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack
  • Description: Missing validation on SSL cert
  • Solution: Default VMware modules to verify SSL by default
  • How to Mitigate: Update to the latest Salt release, package or patch file
  • Attribution: Reported by Long Nguyen Van ngvlongit1@gmail.com
  • Severity Rating: 7.4 High

CVE-2020-28243

  • Impact: A privilege escalation is possible on a SaltStack minion when an unprivileged user is able to create files in any non-blacklisted directory via a command injection in a process name.
  • Description: Local Privilege Escalation in the Minion
  • Solution: Remove shell usage in the restartcheck module
  • How to Mitigate: Update the minion to the latest release, package or patch file
  • Attribution: Reported by Matthew Rollings matthew.rollings@immersivelabs.com
  • Severity Rating: 7.0 High

Packages and Patches

Packages

Updated packages can be found at https://repo.saltproject.io for these supported versions of Salt. These versions have been updated for this CVE release:

  • 3002.5
  • 3001.6
  • 3000.8

Important: During the CVE release process during testing a regression was found. We communicated this here which delayed the release. Please note the version numbers will not match a conventional order.

Patches

Security patch files can be found at https://gitlab.com/saltstack/open/salt-patches

Please note the links in the readme.md to each patch file per version. Due to the regression found, there are more than one file per version to apply.

Patches are available for the following versions:

  • 3002.2
  • 3001.4
  • 3000.6
  • 2019.2.8
  • 2019.2.5
  • 2018.3.5
  • 2017.7.8
  • 2016.11.10
  • 2016.11.6
  • 2016.11.5
  • 2016.11.3
  • 2016.3.8
  • 2016.3.6
  • 2016.3.4
  • 2015.8.13
  • 2015.8.10

NOTE: If you are running an older version of Salt not listed on either of these sites, please update to a different version before applying an available patch.

Additional resources

  • KB article: Upgrading Your Salt Infrastructure
  • Salt Docs: Best Way to Restart a Salt Minion Daemon with Salt After Upgrade
Security Announcement CVE Release