Salt Bugs Allow Full RCE as Root on Cloud Servers

The open-source Salt management framework contains high-severity security vulnerabilities that allow full remote code execution as root on servers in data centres and cloud environments. And in-the-wild attacks are expected imminently.

According to F-Secure researchers, the framework, authored by the company SaltStack but also used as an open-source configuration tool to monitor and update the state of servers, has a pair of flaws within its default communications protocol, known as ZeroMQ.

A bug tracked as CVE-2020-11651 is an authentication bypass issue, while CVE-2020-11652 is a directory-traversal flaw where untrusted input (i.e. parameters in network requests) is not sanitized correctly. This, in turn, allows access to the entire filesystem of the master server, researchers found.

The bugs are especially dangerous given the topography of the Salt framework.

“Each server [managed by Salt] runs an agent called a ‘minion,’ which connects to a ‘master,’” explained F-Secure, in a writeup on Thursday. “[A master is a] Salt installation that collects state reports from minions and publishes update messages that minions can act on.”

These update messages are usually used to change the configuration of a selection of servers, but they can also be used to push out commands to multiple, or even all, of the managed systems, researchers said. An adversary thus can compromise the master in order to send malicious commands to all of the other servers in the cluster, all at the same time.

Lapses in Protocol

To communicate, the master uses two ZeroMQ channels. As F-Secure explained, one is a “request server” where minions can connect to report their status (or the output of commands). The other is a “publish server” where the master publishes messages that the minions can connect and subscribe to.

The authentication bypass can be achieved because the ClearFuncs class processes unauthenticated requests and unintentionally exposes the “_send_pub().” This is the method used to queue messages from the master publish server to the minions – and thus can be used to send arbitrary commands. Such messages can be used to trigger minions to run arbitrary commands as root.

Also, “the ClearFuncs class also exposes the method _prep_auth_info(), which returns the root key used to authenticate commands from the local root user on the master server. This root key can then be used to remotely call administrative commands on the master server. This unintentional exposure provides a remote unauthenticated attacker with root-equivalent access to the salt master.”

As for the directory traversal, the “wheel” module contains commands used to read and write files under specific directory paths.

“The inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction,” according to the writeup. “The get_token() method of the salt.tokens.localfs class (which is exposed to unauthenticated requests by the ClearFuncs class) fails to sanitize the token input parameter which is then used as a filename, allowing…the reading of files outside of the intended directory.”

The bugs together allow attackers “who can connect to the request server port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the master server filesystem and steal the secret key used to authenticate to the master as root,” according to the firm.

According to the National Vulnerability Database, “The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt-master and/or run arbitrary commands on salt minions.”