Vulnerabilities > CVE-2020-11651
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
Vulnerable Configurations
Exploit-Db
id | EDB-ID:48421 |
last seen | 2020-05-05 |
modified | 2020-05-05 |
published | 2020-05-05 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/48421 |
title | Saltstack 3000.1 - Remote Code Execution |
Metasploit
description This module exploits unauthenticated access to the _prep_auth_info() method in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the root key used to authenticate administrative commands to the master. VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2, 1.3, 1.5, and 1.6 in certain configurations, are known to be affected by the Salt vulnerabilities. Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhub's Docker image. id MSF:AUXILIARY/GATHER/SALTSTACK_SALT_ROOT_KEY last seen 2020-06-14 modified 2020-05-29 published 2020-05-06 references - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11652
- https://labs.f-secure.com/advisories/saltstack-authorization-bypass
- https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/
- https://www.vmware.com/security/advisories/VMSA-2020-0009.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG
- https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py
reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/saltstack_salt_root_key.rb title SaltStack Salt Master Server Root Key Disclosure description This module exploits unauthenticated access to the runner() and _send_pub() methods in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to execute code as root on either the master or on select minions. VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2, 1.3, 1.5, and 1.6 in certain configurations, are known to be affected by the Salt vulnerabilities. Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhub's Docker image. id MSF:EXPLOIT/LINUX/MISC/SALTSTACK_SALT_UNAUTH_RCE last seen 2020-06-14 modified 2020-05-29 published 2020-05-07 references - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11652
- https://labs.f-secure.com/advisories/saltstack-authorization-bypass
- https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/
- https://www.vmware.com/security/advisories/VMSA-2020-0009.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG
- https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py
reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/saltstack_salt_unauth_rce.rb title SaltStack Salt Master/Minion Unauthenticated RCE
Nessus
NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-3_0-0091_SALT3.NASL description An update of the salt3 package has been released. last seen 2020-05-21 modified 2020-05-18 plugin id 136699 published 2020-05-18 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136699 title Photon OS 3.0: Salt3 PHSA-2020-3.0-0091 code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2020-3.0-0091. The text # itself is copyright (C) VMware, Inc. include('compat.inc'); if (description) { script_id(136699); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/18"); script_cve_id("CVE-2020-11651", "CVE-2020-11652"); script_xref(name:"IAVA", value:"2020-A-0195"); script_name(english:"Photon OS 3.0: Salt3 PHSA-2020-3.0-0091"); script_set_attribute(attribute:"synopsis", value: "The remote PhotonOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "An update of the salt3 package has been released."); script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-3.0-91.md"); script_set_attribute(attribute:"solution", value: "Update the affected Linux packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11651"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30"); script_set_attribute(attribute:"patch_publication_date", value:"2020/05/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:salt3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:3.0"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux|OS) 3\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 3.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-2019.2.4-1.ph3")) flag++; if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-api-2019.2.4-1.ph3")) flag++; if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-cloud-2019.2.4-1.ph3")) flag++; if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-master-2019.2.4-1.ph3")) flag++; if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-minion-2019.2.4-1.ph3")) flag++; if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-proxy-2019.2.4-1.ph3")) flag++; if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-spm-2019.2.4-1.ph3")) flag++; if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-ssh-2019.2.4-1.ph3")) flag++; if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-syndic-2019.2.4-1.ph3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "salt3"); }
NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-1_0-0294_SALT.NASL description An update of the salt package has been released. last seen 2020-05-21 modified 2020-05-18 plugin id 136694 published 2020-05-18 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136694 title Photon OS 1.0: Salt PHSA-2020-1.0-0294 code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2020-1.0-0294. The text # itself is copyright (C) VMware, Inc. include('compat.inc'); if (description) { script_id(136694); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/18"); script_cve_id("CVE-2020-11651", "CVE-2020-11652"); script_xref(name:"IAVA", value:"2020-A-0195"); script_name(english:"Photon OS 1.0: Salt PHSA-2020-1.0-0294"); script_set_attribute(attribute:"synopsis", value: "The remote PhotonOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "An update of the salt package has been released."); script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-1.0-294.md"); script_set_attribute(attribute:"solution", value: "Update the affected Linux packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11651"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30"); script_set_attribute(attribute:"patch_publication_date", value:"2020/05/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:salt"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; if (rpm_check(release:"PhotonOS-1.0", reference:"salt-2019.2.4-1.ph1")) flag++; if (rpm_check(release:"PhotonOS-1.0", reference:"salt-api-2019.2.4-1.ph1")) flag++; if (rpm_check(release:"PhotonOS-1.0", reference:"salt-cloud-2019.2.4-1.ph1")) flag++; if (rpm_check(release:"PhotonOS-1.0", reference:"salt-master-2019.2.4-1.ph1")) flag++; if (rpm_check(release:"PhotonOS-1.0", reference:"salt-minion-2019.2.4-1.ph1")) flag++; if (rpm_check(release:"PhotonOS-1.0", reference:"salt-proxy-2019.2.4-1.ph1")) flag++; if (rpm_check(release:"PhotonOS-1.0", reference:"salt-spm-2019.2.4-1.ph1")) flag++; if (rpm_check(release:"PhotonOS-1.0", reference:"salt-ssh-2019.2.4-1.ph1")) flag++; if (rpm_check(release:"PhotonOS-1.0", reference:"salt-syndic-2019.2.4-1.ph1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "salt"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4676.NASL description Several vulnerabilities were discovered in salt, a powerful remote execution manager, which could result in retrieve of user tokens from the salt master, execution of arbitrary commands on salt minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-api hosts. last seen 2020-06-02 modified 2020-05-07 plugin id 136372 published 2020-05-07 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136372 title Debian DSA-4676-1 : salt - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4676. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(136372); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01"); script_cve_id("CVE-2019-17361", "CVE-2020-11651", "CVE-2020-11652"); script_xref(name:"DSA", value:"4676"); script_xref(name:"IAVA", value:"2020-A-0195"); script_name(english:"Debian DSA-4676-1 : salt - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities were discovered in salt, a powerful remote execution manager, which could result in retrieve of user tokens from the salt master, execution of arbitrary commands on salt minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-api hosts." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949222" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959684" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/salt" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/salt" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/buster/salt" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2020/dsa-4676" ); script_set_attribute( attribute:"solution", value: "Upgrade the salt packages. For the oldstable distribution (stretch), these problems have been fixed in version 2016.11.2+ds-1+deb9u3. For the stable distribution (buster), these problems have been fixed in version 2018.3.4+dfsg1-6+deb10u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:salt"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/17"); script_set_attribute(attribute:"patch_publication_date", value:"2020/05/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"10.0", prefix:"salt-api", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"salt-cloud", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"salt-common", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"salt-doc", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"salt-master", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"salt-minion", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"salt-proxy", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"salt-ssh", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"salt-syndic", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++; if (deb_check(release:"9.0", prefix:"salt-api", reference:"2016.11.2+ds-1+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"salt-cloud", reference:"2016.11.2+ds-1+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"salt-common", reference:"2016.11.2+ds-1+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"salt-doc", reference:"2016.11.2+ds-1+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"salt-master", reference:"2016.11.2+ds-1+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"salt-minion", reference:"2016.11.2+ds-1+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"salt-proxy", reference:"2016.11.2+ds-1+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"salt-ssh", reference:"2016.11.2+ds-1+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"salt-syndic", reference:"2016.11.2+ds-1+deb9u3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-1151-1.NASL description This update for salt fixes the following issues : Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-15 modified 2020-04-30 plugin id 136170 published 2020-04-30 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136170 title SUSE SLES15 Security Update : salt (SUSE-SU-2020:1151-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2020:1151-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(136170); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/13"); script_cve_id("CVE-2020-11651", "CVE-2020-11652"); script_xref(name:"IAVA", value:"2020-A-0195"); script_name(english:"SUSE SLES15 Security Update : salt (SUSE-SU-2020:1151-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for salt fixes the following issues : Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1170595" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-11651/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-11652/" ); # https://www.suse.com/support/update/announcement/2020/suse-su-20201151-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6df3c979" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server for SAP 15 : zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1151=1 SUSE Linux Enterprise Server 15-LTSS : zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1151=1 SUSE Linux Enterprise High Performance Computing 15-LTSS : zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1151=1 SUSE Linux Enterprise High Performance Computing 15-ESPOS : zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1151=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11651"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python2-salt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python3-salt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-cloud"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-master"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-minion"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-proxy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-ssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-syndic"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES15", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); if (cpu >!< "s390x") audit(AUDIT_ARCH_NOT, "s390x", cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES15" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP0", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"python2-salt-2019.2.0-5.67.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"python3-salt-2019.2.0-5.67.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-2019.2.0-5.67.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-api-2019.2.0-5.67.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-cloud-2019.2.0-5.67.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-doc-2019.2.0-5.67.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-master-2019.2.0-5.67.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-minion-2019.2.0-5.67.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-proxy-2019.2.0-5.67.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-ssh-2019.2.0-5.67.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-standalone-formulas-configuration-2019.2.0-5.67.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-syndic-2019.2.0-5.67.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "salt"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-1150-1.NASL description This update for salt fixes the following issues : Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-15 modified 2020-04-30 plugin id 136169 published 2020-04-30 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136169 title SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:1150-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2020:1150-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(136169); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/13"); script_cve_id("CVE-2020-11651", "CVE-2020-11652"); script_xref(name:"IAVA", value:"2020-A-0195"); script_name(english:"SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:1150-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for salt fixes the following issues : Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1170595" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-11651/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-11652/" ); # https://www.suse.com/support/update/announcement/2020/suse-su-20201150-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?85e05fec" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Module for Server Applications 15-SP1:zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1150=1 SUSE Linux Enterprise Module for Python2 15-SP1:zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-1150=1 SUSE Linux Enterprise Module for Basesystem 15-SP1:zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1150=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11651"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python2-salt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python3-salt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-cloud"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-master"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-minion"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-proxy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-ssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-syndic"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED15|SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED15 / SLES15", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES15" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP1", os_ver + " SP" + sp); if (os_ver == "SLED15" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLED15 SP1", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES15", sp:"1", reference:"salt-api-2019.2.0-6.27.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"salt-cloud-2019.2.0-6.27.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"salt-master-2019.2.0-6.27.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"salt-proxy-2019.2.0-6.27.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"salt-ssh-2019.2.0-6.27.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"salt-standalone-formulas-configuration-2019.2.0-6.27.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"salt-syndic-2019.2.0-6.27.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"python2-salt-2019.2.0-6.27.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"python3-salt-2019.2.0-6.27.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"salt-2019.2.0-6.27.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"salt-doc-2019.2.0-6.27.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"salt-minion-2019.2.0-6.27.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"python2-salt-2019.2.0-6.27.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"python3-salt-2019.2.0-6.27.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"salt-2019.2.0-6.27.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"salt-doc-2019.2.0-6.27.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"salt-minion-2019.2.0-6.27.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "salt"); }
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_6BF55AF9973B11EA9F2C38D547003487.NASL description F-Secure reports : CVE-2020-11651 - Authentication bypass vulnerabilities The ClearFuncs class processes unauthenticated requests and unintentionally exposes the _send_pub() method, which can be used to queue messages directly on the master publish server. Such messages can be used to trigger minions to run arbitrary commands as root. The ClearFuncs class also exposes the method _prep_auth_info(), which returns the last seen 2020-05-22 modified 2020-05-18 plugin id 136687 published 2020-05-18 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136687 title FreeBSD : salt -- multiple vulnerabilities in salt-master process (6bf55af9-973b-11ea-9f2c-38d547003487) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2020 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(136687); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/18"); script_cve_id("CVE-2020-11651", "CVE-2020-11652"); script_xref(name:"IAVA", value:"2020-A-0195"); script_name(english:"FreeBSD : salt -- multiple vulnerabilities in salt-master process (6bf55af9-973b-11ea-9f2c-38d547003487)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "F-Secure reports : CVE-2020-11651 - Authentication bypass vulnerabilities The ClearFuncs class processes unauthenticated requests and unintentionally exposes the _send_pub() method, which can be used to queue messages directly on the master publish server. Such messages can be used to trigger minions to run arbitrary commands as root. The ClearFuncs class also exposes the method _prep_auth_info(), which returns the 'root key' used to authenticate commands from the local root user on the master server. This 'root key' can then be used to remotely call administrative commands on the master server. This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master. CVE-2020-11652 - Directory traversal vulnerabilities The wheel module contains commands used to read and write files under specific directory paths. The inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction. The get_token() method of the salt.tokens.localfs class (which is exposed to unauthenticated requests by the ClearFuncs class) fails to sanitize the token input parameter which is then used as a filename, allowing insertion of '..' path elements and thus reading of files outside of the intended directory. The only restriction is that the file has to be deserializable by salt.payload.Serial.loads()." ); script_set_attribute( attribute:"see_also", value:"https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html" ); script_set_attribute( attribute:"see_also", value:"https://labs.f-secure.com/advisories/saltstack-authorization-bypass" ); # https://blog.f-secure.com/new-vulnerabilities-make-exposed-salt-hosts-easy-targets/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f051ee1b" ); # https://www.tenable.com/blog/cve-2020-11651-cve-2020-11652-critical-salt-framework-vulnerabilities-exploited-in-the-wild script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?4975c617" ); # https://vuxml.freebsd.org/freebsd/6bf55af9-973b-11ea-9f2c-38d547003487.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d05a29b3" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py27-salt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py32-salt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py33-salt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py34-salt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py35-salt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py36-salt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py37-salt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py38-salt"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30"); script_set_attribute(attribute:"patch_publication_date", value:"2020/05/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/18"); script_set_attribute(attribute:"stig_severity", value:"II"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"py27-salt<2019.2.4")) flag++; if (pkg_test(save_report:TRUE, pkg:"py27-salt>=3000<3000.2")) flag++; if (pkg_test(save_report:TRUE, pkg:"py32-salt<2019.2.4")) flag++; if (pkg_test(save_report:TRUE, pkg:"py32-salt>=3000<3000.2")) flag++; if (pkg_test(save_report:TRUE, pkg:"py33-salt<2019.2.4")) flag++; if (pkg_test(save_report:TRUE, pkg:"py33-salt>=3000<3000.2")) flag++; if (pkg_test(save_report:TRUE, pkg:"py34-salt<2019.2.4")) flag++; if (pkg_test(save_report:TRUE, pkg:"py34-salt>=3000<3000.2")) flag++; if (pkg_test(save_report:TRUE, pkg:"py35-salt<2019.2.4")) flag++; if (pkg_test(save_report:TRUE, pkg:"py35-salt>=3000<3000.2")) flag++; if (pkg_test(save_report:TRUE, pkg:"py36-salt<2019.2.4")) flag++; if (pkg_test(save_report:TRUE, pkg:"py36-salt>=3000<3000.2")) flag++; if (pkg_test(save_report:TRUE, pkg:"py37-salt<2019.2.4")) flag++; if (pkg_test(save_report:TRUE, pkg:"py37-salt>=3000<3000.2")) flag++; if (pkg_test(save_report:TRUE, pkg:"py38-salt<2019.2.4")) flag++; if (pkg_test(save_report:TRUE, pkg:"py38-salt>=3000<3000.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-564.NASL description This update for salt fixes the following issues : - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) This update was imported from the SUSE:SLE-15-SP1:Update update project. last seen 2020-05-15 modified 2020-05-04 plugin id 136306 published 2020-05-04 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136306 title openSUSE Security Update : salt (openSUSE-2020-564) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2020-564. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(136306); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/13"); script_cve_id("CVE-2020-11651", "CVE-2020-11652"); script_xref(name:"IAVA", value:"2020-A-0195"); script_name(english:"openSUSE Security Update : salt (openSUSE-2020-564)"); script_summary(english:"Check for the openSUSE-2020-564 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for salt fixes the following issues : - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) This update was imported from the SUSE:SLE-15-SP1:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1170595" ); script_set_attribute(attribute:"solution", value:"Update the affected salt packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11651"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python2-salt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-salt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-bash-completion"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-cloud"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-fish-completion"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-master"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-minion"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-proxy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-ssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-standalone-formulas-configuration"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-syndic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-zsh-completion"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/04"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.1", reference:"python2-salt-2019.2.0-lp151.5.15.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"python3-salt-2019.2.0-lp151.5.15.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"salt-2019.2.0-lp151.5.15.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"salt-api-2019.2.0-lp151.5.15.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"salt-bash-completion-2019.2.0-lp151.5.15.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"salt-cloud-2019.2.0-lp151.5.15.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"salt-fish-completion-2019.2.0-lp151.5.15.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"salt-master-2019.2.0-lp151.5.15.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"salt-minion-2019.2.0-lp151.5.15.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"salt-proxy-2019.2.0-lp151.5.15.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"salt-ssh-2019.2.0-lp151.5.15.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"salt-standalone-formulas-configuration-2019.2.0-lp151.5.15.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"salt-syndic-2019.2.0-lp151.5.15.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"salt-zsh-completion-2019.2.0-lp151.5.15.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python2-salt / python3-salt / salt / salt-api / etc"); }
NASL family Misc. NASL id SALTSTACK_3000_2_MULTIPLE_VULNERABILITIES.NASL description According to its self-reported version number, the instance of SaltStack hosted on the remote server is prior to 2019.2.4, 3000.x prior to 3000.2. It is, therefore, affected by multiple vulnerabilities: - An authentication bypass vulnerabilities exists in the ClearFuncs class due to improper validation of method calls. An unauthenticated, remote attacker can exploit this by accessing exposed methods to trigger minions to run arbitrary commands as root, or to retrieve the root key to authenticate commands from the local root user on the master server. (CVE-2020-11651) - A directory traversal vulnerabilities exists in the ClearFuncs class due to improper path sanitization. An authenticated, remote attacker can exploit this by accessing the exposed get_token() method which allows the insertion of double periods in the filename parameter to read files outside of the intended directory. The only restriction is that the file has to be deserializable by salt.payload.Serial.loads(). (CVE-2020-11652) last seen 2020-05-15 modified 2020-05-07 plugin id 136402 published 2020-05-07 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136402 title SaltStack < 2019.2.4 / 3000.x < 3000.2 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(136402); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/13"); script_cve_id("CVE-2020-11651", "CVE-2020-11652"); script_xref(name:"EDB-ID", value:"48421"); script_xref(name:"IAVA", value:"2020-A-0195"); script_name(english:"SaltStack < 2019.2.4 / 3000.x < 3000.2 Multiple Vulnerabilities"); script_set_attribute(attribute:"synopsis", value: "The version of SaltStack running on the remote server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the instance of SaltStack hosted on the remote server is prior to 2019.2.4, 3000.x prior to 3000.2. It is, therefore, affected by multiple vulnerabilities: - An authentication bypass vulnerabilities exists in the ClearFuncs class due to improper validation of method calls. An unauthenticated, remote attacker can exploit this by accessing exposed methods to trigger minions to run arbitrary commands as root, or to retrieve the root key to authenticate commands from the local root user on the master server. (CVE-2020-11651) - A directory traversal vulnerabilities exists in the ClearFuncs class due to improper path sanitization. An authenticated, remote attacker can exploit this by accessing the exposed get_token() method which allows the insertion of double periods in the filename parameter to read files outside of the intended directory. The only restriction is that the file has to be deserializable by salt.payload.Serial.loads(). (CVE-2020-11652)"); # https://labs.f-secure.com/advisories/saltstack-authorization-bypass script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4df67f57"); script_set_attribute(attribute:"solution", value: "Upgrade to SaltStack version 2019.2.4, 3000.2 or later."); script_set_attribute(attribute:"agent", value:"unix"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11651"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/24"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:saltstack:salt"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("saltstack_salt_linux_installed.nbin"); script_require_keys("installed_sw/SaltStack Salt Master"); exit(0); } include('vcf.inc'); app_info = vcf::get_app_info(app:'SaltStack Salt Master'); constraints = [ { 'fixed_version' : '2019.2.0', 'fixed_display' : '2019.2.4, 3000.2 or later.' }, { 'min_version' : '2019.2.0', 'fixed_version' : '2019.2.4' }, { 'min_version' : '3000.0', 'fixed_version' : '3000.2' } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2223.NASL description Several vulnerabilities were discovered in package salt, a configuration management and infrastructure automation software. CVE-2020-11651 The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. CVE-2020-11652 The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. For Debian 8 last seen 2020-06-06 modified 2020-06-01 plugin id 136979 published 2020-06-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136979 title Debian DLA-2223-1 : salt security update NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-1_0-0294_SALT3.NASL description An update of the salt3 package has been released. last seen 2020-05-21 modified 2020-05-18 plugin id 136695 published 2020-05-18 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136695 title Photon OS 1.0: Salt3 PHSA-2020-1.0-0294
Packetstorm
data source https://packetstormsecurity.com/files/download/157560/saltstack30001-exec.txt id PACKETSTORM:157560 last seen 2020-05-06 published 2020-05-05 reporter Jasper Lievisse Adriaanse source https://packetstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.html title Saltstack 3000.1 Remote Code Execution data source https://packetstormsecurity.com/files/download/157678/saltstack_salt_unauth_rce.rb.txt id PACKETSTORM:157678 last seen 2020-05-17 published 2020-05-12 reporter wvu source https://packetstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.html title SaltStack Salt Master/Minion Unauthenticated Remote Code Execution
The Hacker News
id THN:8E401822CBD35E8E7CCE9E5DD922A70E last seen 2020-06-10 modified 2020-06-10 published 2020-05-01 reporter The Hacker News source https://thehackernews.com/2020/05/saltstack-rce-vulnerability.html title Critical SaltStack RCE Bug (CVSS Score 10) Affects Thousands of Data Centers id THN:00FCCD16591B1900512E0B089F2A6BC8 last seen 2020-05-06 modified 2020-05-06 published 2020-05-04 reporter The Hacker News source https://thehackernews.com/2020/05/saltstack-rce-exploit.html title Hackers Breach LineageOS, Ghost, DigiCert Servers Using SaltStack Vulnerability
Related news
References
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00070.html
- http://packetstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.html
- http://www.vmware.com/security/advisories/VMSA-2020-0009.html
- https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html
- https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst
- https://lists.debian.org/debian-lts-announce/2020/05/msg00027.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG
- https://usn.ubuntu.com/4459-1/
- https://www.debian.org/security/2020/dsa-4676
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html
- https://www.debian.org/security/2020/dsa-4676
- https://usn.ubuntu.com/4459-1/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG
- https://lists.debian.org/debian-lts-announce/2020/05/msg00027.html
- https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst
- https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html
- http://www.vmware.com/security/advisories/VMSA-2020-0009.html
- http://packetstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00070.html