Security News > 2020 > April > Salt peppered with holes? Automation tool vulnerable to auth bypass: Patch now
The Salt configuration tool has patched two vulnerabilities whose combined effect was to expose Salt installations to complete control by an attacker.
Salt is a tool from SaltStack which has both commercial and open source editions.
In Salt terminology, a Master is a central Salt server which issues commands, and a Minion is a remote process that listens for commands and performs them.
Salt users have had little time to respond, and F-Secure has flagged the concern that: "A scan revealed over 6,000 instances of this service exposed to the public Internet. Getting all of these installs updated may prove a challenge as we expect that not all have been configured to automatically update the salt software packages."
"Adding network security controls that restrict access to the salt master to known minions, or at least block the wider Internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks," continued F-Secure.