Security News > 2020 > April > Salt Bugs Allow Full RCE as Root on Cloud Servers

The open-source Salt management framework contains high-severity security vulnerabilities that allow full remote code execution as root on servers in data centers and cloud environments.

"The ClearFuncs class also exposes the method prep auth info(), which returns the root key used to authenticate commands from the local root user on the master server. This root key can then be used to remotely call administrative commands on the master server. This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master."

The bugs together allow attackers "Who can connect to the request server port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the master server filesystem and steal the secret key used to authenticate to the master as root," according to the firm.

According to the National Vulnerability Database, "The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions."

"Adding network security controls that restrict access to the salt master to known minions, or at least block the wider internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks," F-Secure concluded.

News URL

https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/