Salt security advisory release - 2022-MAR-28

The Salt Project released a security update to Salt to address 4 vulnerabilities with a severity rating of Medium to High. We strongly recommend prioritizing this update. This is a security advisory release.

The following CVEs were fixed as part of this release:

CVE Details

CVE-2022-22934

  • Description: Salt Masters do not sign pillar data with the minion’s public key.
  • Impact: Attackers can substitute arbitrary pillar data.
  • Solution: Salt masters include the minion’s id in pillar data responses and then sign the response with the master’s private key. Minions also include a nonce in pillar requests so pillar replies cannot be re-played.
  • How to Mitigate:
    • Upgrade to 3002.8, 3003.4, or 3004.1
    • NOTE: When upgrading your Salt infrastructure, first upgrade your Salt master packages before upgrading your Salt minion packages. Upgrading the minion packages first could result in loss of functionality.
  • Attribution: Lenka Mareková lenka@cloudflare.com
  • Severity Rating: 7.5 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-2022-22935

  • Description: Minion authentication denial of service.
  • Impact: A MiTM attacker can force a minion process to stop by impersonating a master.
  • Solution: Minions include a nonce in their authentication requests and masters include the nonce in a reply signed with the master’s private key.
  • How to Mitigate:
    • Upgrade to 3002.8, 3003.4, or 3004.1.
    • Pre-seed the master’s public key on minions.
    • NOTE: When upgrading your Salt infrastructure, first upgrade your Salt master packages before upgrading your Salt minion packages. Upgrading the minion packages first could result in loss of functionality.
  • Attribution: Lenka Mareková lenka@cloudflare.com
  • Severity Rating: 6.5 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVE-2022-22936

  • Description: Job publishes and file server replies are susceptible to replay attacks.
  • Impact: An attacker can re-play job publishes causing minions to run old jobs. File server replies can also be re-played. A sufficient craft attacker could gain root access on minion under certain scenarios.
  • Solution: Minions include a nonce in their file server requests. Masters include the nonce in their replies and sign them with the master’s private key.
  • How to Mitigate:
    • Upgrade to 3002.8, 3003.4, or 3004.1
    • NOTE: When upgrading your Salt infrastructure, first upgrade your Salt master packages before upgrading your Salt minion packages. Upgrading the minion packages first could result in loss of functionality.
  • Attribution: Lenka Mareková lenka@cloudflare.com
  • Severity Rating: 7.5 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVE-2022-22941

  • Impact: This requires a syndic master combined with publisher_acl configured on the Master-of-Masters, allowing users specified in the publisher_acl to bypass permissions, publishing authorized commands to any configured minion.
  • Description: When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands.
  • Solution: The code has been modified to correctly treat an empty list of targets as completely invalid, and the user will correctly be given an error message. How to Mitigate: Upgrade the Salt Master-of-Masters to the latest version of salt software.
  • How to mitigate:
    • Upgrade the Salt Master-of-Masters to 3002.8, 3003.4 or 3004.1
    • NOTE: When upgrading your Salt infrastructure, first upgrade your Salt master packages before upgrading your Salt minion packages. Upgrading the minion packages first could result in loss of functionality.
  • Attribution: https://github.com/bzukdatto
  • Severity Rating: 7.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Packages

Updated packages for the versions below can be found at https://repo.saltproject.io for these supported versions of Salt:

  • 3004.1
  • 3003.4
  • 3002.8

Note: Ubuntu 16.04 was not packaged since it is no longer in General Maintenance.