Security News > 2020 > April > Critical Vulnerability in Salt Requires Immediate Patching

The Salt community has been aware of a critical vulnerability in Salt Master versions since late last week.

"More warnings appeared early this week. F-Secure's Mikko Hypponen tweeted on Monday, 27 April:"The vulnerability in Salt Master 3000.1 has been rated with a CVSS of 10.0"".

"There's not many reasons to expose infrastructure management systems, which is what a lot of companies use Salt for, to the internet. When new vulnerabilities go public, attackers always race to exploit exposed, vulnerable hosts before admins patch or hide them. So, if I were running one of these 6000 masters, I wouldn't feel comfortable leaving work for the weekend knowing it's a target."

Alex Peay, SVP of product and marketing at SaltStack, told SecurityWeek, "A critical vulnerability was discovered in Salt Master versions 2019.2.3 and Salt 3000 versions 3000.1 and earlier. The vulnerability occurs if a Salt Master is exposed to the open internet. Upon notification, SaltStack took immediate action to remediate the vulnerability, develop and issue patches, and communicate to our customers about the affected versions so they can prepare their systems for update."

While exposing a Salt Master to the internet makes an attack both easier and more likely, the vulnerability itself isn't dependent on that exposure.

News URL

http://feedproxy.google.com/~r/Securityweek/~3/ZwqDg-EpXZw/critical-vulnerability-salt-requires-immediate-patching