Salt security advisory release - 2021-SEPT-2

The Salt Project released a security update to Salt to address 3 vulnerabilities with severity rating Medium to High. We strongly recommend prioritizing this update. This is a security advisory release.

The following CVEs were fixed as part of this release:

CVE Details

NOTE: The CVSS ratings listed below use Access Complexity “High” in case the issue cannot be exploited in a default configuration. See the CVSS Calculator for more information.

CVE-2021-21996

  • Impact: This requires a malicious user to have access to control a file source URL and its source_hash URL.
  • Description: A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.
  • Solution: Code has been modified to exclude the full path of a download URL. Instead, we only use the base filename plus file extension. This prevents injection of malicious code into the full path string.
  • How to Mitigate: Update to the latest versions of salt minion code.
  • Attribution: Jonathan Schlue - jonathan.schlue@aboutsource.net
  • Severity Rating: 4.2

CVE-2021-22004

  • Impact: This requires that a malicious user have access to a Windows system, permission to create directories and files on the root of the system drive, and create a malicious minion config at C:\salt\conf.
  • Description: The salt minion installer will accept and use a minion config file at C:\salt\conf if that file is in place before the installer is run. This allows for a malicious actor to subvert the proper behavior of the given minion software.
  • Solution: The updated installer verifies that the owner of the C:\salt\conf directory is either the Administrators group or the Local System account. If ownership is not correct, the user will be prompted to rename the config directory and the default config will be used.
  • How to Mitigate: Use the latest Windows installer (v3001.8+, v3002.7+, or v3003.3+) when deploying the salt minion on Windows.
  • Attribution: Salt Windows Working Group
  • Severity Rating: 6.7

CVE-2021-31607

NOTE: This is a functional issue caused by the original fix to this CVE. This issue has been resolved in this fix.

  • Impact: This impacts users of snapper who are using a snapshot enabled filesystem.
  • Description: In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).
  • Solution: The way shell commands are called is repaired to prevent injection.
  • How to Mitigate: Update to the latest version of salt software
  • Attribution: Internal scan
  • Severity Rating: CVSS3 7.8
  • Packages: Updated packages for the versions below can be found at https://repo.saltproject.io for these supported versions of Salt:
    • 3003.3
    • 3002.7
    • 3001.8