Vulnerabilities > CVE-2020-11651

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11652
• https://labs.f-secure.com/advisories/saltstack-authorization-bypass
• https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/
• https://www.vmware.com/security/advisories/VMSA-2020-0009.html
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG
• https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11652
• https://labs.f-secure.com/advisories/saltstack-authorization-bypass
• https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/
• https://www.vmware.com/security/advisories/VMSA-2020-0009.html
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG
• https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py

#
# (C) Tenable Network Security, Inc.
#


# The descriptive text and package checks in this plugin were
# extracted from VMware Security Advisory PHSA-2020-3.0-0091. The text
# itself is copyright (C) VMware, Inc.


include('compat.inc');

if (description)
{
  script_id(136699);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/18");

  script_cve_id("CVE-2020-11651", "CVE-2020-11652");
  script_xref(name:"IAVA", value:"2020-A-0195");

  script_name(english:"Photon OS 3.0: Salt3 PHSA-2020-3.0-0091");

  script_set_attribute(attribute:"synopsis", value:
"The remote PhotonOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"An update of the salt3 package has been released.");
  script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-3.0-91.md");
  script_set_attribute(attribute:"solution", value:
"Update the affected Linux packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11651");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/05/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:salt3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:3.0");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"PhotonOS Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/PhotonOS/release");
if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
if (release !~ "^VMware Photon (?:Linux|OS) 3\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 3.0");

if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);

flag = 0;

if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-2019.2.4-1.ph3")) flag++;
if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-api-2019.2.4-1.ph3")) flag++;
if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-cloud-2019.2.4-1.ph3")) flag++;
if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-master-2019.2.4-1.ph3")) flag++;
if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-minion-2019.2.4-1.ph3")) flag++;
if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-proxy-2019.2.4-1.ph3")) flag++;
if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-spm-2019.2.4-1.ph3")) flag++;
if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-ssh-2019.2.4-1.ph3")) flag++;
if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-syndic-2019.2.4-1.ph3")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "salt3");
}

#
# (C) Tenable Network Security, Inc.
#


# The descriptive text and package checks in this plugin were
# extracted from VMware Security Advisory PHSA-2020-1.0-0294. The text
# itself is copyright (C) VMware, Inc.


include('compat.inc');

if (description)
{
  script_id(136694);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/18");

  script_cve_id("CVE-2020-11651", "CVE-2020-11652");
  script_xref(name:"IAVA", value:"2020-A-0195");

  script_name(english:"Photon OS 1.0: Salt PHSA-2020-1.0-0294");

  script_set_attribute(attribute:"synopsis", value:
"The remote PhotonOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"An update of the salt package has been released.");
  script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-1.0-294.md");
  script_set_attribute(attribute:"solution", value:
"Update the affected Linux packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11651");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/05/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:salt");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"PhotonOS Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/PhotonOS/release");
if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0");

if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);

flag = 0;

if (rpm_check(release:"PhotonOS-1.0", reference:"salt-2019.2.4-1.ph1")) flag++;
if (rpm_check(release:"PhotonOS-1.0", reference:"salt-api-2019.2.4-1.ph1")) flag++;
if (rpm_check(release:"PhotonOS-1.0", reference:"salt-cloud-2019.2.4-1.ph1")) flag++;
if (rpm_check(release:"PhotonOS-1.0", reference:"salt-master-2019.2.4-1.ph1")) flag++;
if (rpm_check(release:"PhotonOS-1.0", reference:"salt-minion-2019.2.4-1.ph1")) flag++;
if (rpm_check(release:"PhotonOS-1.0", reference:"salt-proxy-2019.2.4-1.ph1")) flag++;
if (rpm_check(release:"PhotonOS-1.0", reference:"salt-spm-2019.2.4-1.ph1")) flag++;
if (rpm_check(release:"PhotonOS-1.0", reference:"salt-ssh-2019.2.4-1.ph1")) flag++;
if (rpm_check(release:"PhotonOS-1.0", reference:"salt-syndic-2019.2.4-1.ph1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "salt");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-4676. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(136372);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01");

  script_cve_id("CVE-2019-17361", "CVE-2020-11651", "CVE-2020-11652");
  script_xref(name:"DSA", value:"4676");
  script_xref(name:"IAVA", value:"2020-A-0195");

  script_name(english:"Debian DSA-4676-1 : salt - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description",
    value:
"Several vulnerabilities were discovered in salt, a powerful remote
execution manager, which could result in retrieve of user tokens from
the salt master, execution of arbitrary commands on salt minions,
arbitrary directory access to authenticated users or arbitrary code
execution on salt-api hosts."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949222"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959684"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/source-package/salt"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/stretch/salt"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/buster/salt"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2020/dsa-4676"
  );
  script_set_attribute(
    attribute:"solution",
    value:
"Upgrade the salt packages.

For the oldstable distribution (stretch), these problems have been
fixed in version 2016.11.2+ds-1+deb9u3.

For the stable distribution (buster), these problems have been fixed
in version 2018.3.4+dfsg1-6+deb10u1."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:salt");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/05/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/07");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"10.0", prefix:"salt-api", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"salt-cloud", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"salt-common", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"salt-doc", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"salt-master", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"salt-minion", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"salt-proxy", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"salt-ssh", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"salt-syndic", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++;
if (deb_check(release:"9.0", prefix:"salt-api", reference:"2016.11.2+ds-1+deb9u3")) flag++;
if (deb_check(release:"9.0", prefix:"salt-cloud", reference:"2016.11.2+ds-1+deb9u3")) flag++;
if (deb_check(release:"9.0", prefix:"salt-common", reference:"2016.11.2+ds-1+deb9u3")) flag++;
if (deb_check(release:"9.0", prefix:"salt-doc", reference:"2016.11.2+ds-1+deb9u3")) flag++;
if (deb_check(release:"9.0", prefix:"salt-master", reference:"2016.11.2+ds-1+deb9u3")) flag++;
if (deb_check(release:"9.0", prefix:"salt-minion", reference:"2016.11.2+ds-1+deb9u3")) flag++;
if (deb_check(release:"9.0", prefix:"salt-proxy", reference:"2016.11.2+ds-1+deb9u3")) flag++;
if (deb_check(release:"9.0", prefix:"salt-ssh", reference:"2016.11.2+ds-1+deb9u3")) flag++;
if (deb_check(release:"9.0", prefix:"salt-syndic", reference:"2016.11.2+ds-1+deb9u3")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from SUSE update advisory SUSE-SU-2020:1151-1.
# The text itself is copyright (C) SUSE.
#

include("compat.inc");

if (description)
{
  script_id(136170);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/13");

  script_cve_id("CVE-2020-11651", "CVE-2020-11652");
  script_xref(name:"IAVA", value:"2020-A-0195");

  script_name(english:"SUSE SLES15 Security Update : salt (SUSE-SU-2020:1151-1)");
  script_summary(english:"Checks rpm output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote SUSE host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update for salt fixes the following issues :

Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1170595"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2020-11651/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2020-11652/"
  );
  # https://www.suse.com/support/update/announcement/2020/suse-su-20201151-1/
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?6df3c979"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"To install this SUSE Security Update use the SUSE recommended
installation methods like YaST online_update or 'zypper patch'.

Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server for SAP 15 :

zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1151=1

SUSE Linux Enterprise Server 15-LTSS :

zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1151=1

SUSE Linux Enterprise High Performance Computing 15-LTSS :

zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1151=1

SUSE Linux Enterprise High Performance Computing 15-ESPOS :

zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1151=1"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11651");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python2-salt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python3-salt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-cloud");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-master");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-minion");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-proxy");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-ssh");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-syndic");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/04/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/30");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES15", "SUSE " + os_ver);

if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
if (cpu >!< "s390x") audit(AUDIT_ARCH_NOT, "s390x", cpu);


sp = get_kb_item("Host/SuSE/patchlevel");
if (isnull(sp)) sp = "0";
if (os_ver == "SLES15" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP0", os_ver + " SP" + sp);


flag = 0;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"python2-salt-2019.2.0-5.67.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"python3-salt-2019.2.0-5.67.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-2019.2.0-5.67.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-api-2019.2.0-5.67.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-cloud-2019.2.0-5.67.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-doc-2019.2.0-5.67.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-master-2019.2.0-5.67.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-minion-2019.2.0-5.67.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-proxy-2019.2.0-5.67.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-ssh-2019.2.0-5.67.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-standalone-formulas-configuration-2019.2.0-5.67.1")) flag++;
if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-syndic-2019.2.0-5.67.1")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "salt");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from SUSE update advisory SUSE-SU-2020:1150-1.
# The text itself is copyright (C) SUSE.
#

include("compat.inc");

if (description)
{
  script_id(136169);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/13");

  script_cve_id("CVE-2020-11651", "CVE-2020-11652");
  script_xref(name:"IAVA", value:"2020-A-0195");

  script_name(english:"SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:1150-1)");
  script_summary(english:"Checks rpm output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote SUSE host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update for salt fixes the following issues :

Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1170595"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2020-11651/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2020-11652/"
  );
  # https://www.suse.com/support/update/announcement/2020/suse-su-20201150-1/
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?85e05fec"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"To install this SUSE Security Update use the SUSE recommended
installation methods like YaST online_update or 'zypper patch'.

Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Module for Server Applications 15-SP1:zypper in
-t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1150=1

SUSE Linux Enterprise Module for Python2 15-SP1:zypper in -t patch
SUSE-SLE-Module-Python2-15-SP1-2020-1150=1

SUSE Linux Enterprise Module for Basesystem 15-SP1:zypper in -t patch
SUSE-SLE-Module-Basesystem-15-SP1-2020-1150=1"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11651");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python2-salt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python3-salt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-cloud");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-master");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-minion");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-proxy");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-ssh");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-syndic");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/04/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/30");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
os_ver = os_ver[1];
if (! preg(pattern:"^(SLED15|SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED15 / SLES15", "SUSE " + os_ver);

if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);

sp = get_kb_item("Host/SuSE/patchlevel");
if (isnull(sp)) sp = "0";
if (os_ver == "SLES15" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP1", os_ver + " SP" + sp);
if (os_ver == "SLED15" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLED15 SP1", os_ver + " SP" + sp);


flag = 0;
if (rpm_check(release:"SLES15", sp:"1", reference:"salt-api-2019.2.0-6.27.1")) flag++;
if (rpm_check(release:"SLES15", sp:"1", reference:"salt-cloud-2019.2.0-6.27.1")) flag++;
if (rpm_check(release:"SLES15", sp:"1", reference:"salt-master-2019.2.0-6.27.1")) flag++;
if (rpm_check(release:"SLES15", sp:"1", reference:"salt-proxy-2019.2.0-6.27.1")) flag++;
if (rpm_check(release:"SLES15", sp:"1", reference:"salt-ssh-2019.2.0-6.27.1")) flag++;
if (rpm_check(release:"SLES15", sp:"1", reference:"salt-standalone-formulas-configuration-2019.2.0-6.27.1")) flag++;
if (rpm_check(release:"SLES15", sp:"1", reference:"salt-syndic-2019.2.0-6.27.1")) flag++;
if (rpm_check(release:"SLES15", sp:"1", reference:"python2-salt-2019.2.0-6.27.1")) flag++;
if (rpm_check(release:"SLES15", sp:"1", reference:"python3-salt-2019.2.0-6.27.1")) flag++;
if (rpm_check(release:"SLES15", sp:"1", reference:"salt-2019.2.0-6.27.1")) flag++;
if (rpm_check(release:"SLES15", sp:"1", reference:"salt-doc-2019.2.0-6.27.1")) flag++;
if (rpm_check(release:"SLES15", sp:"1", reference:"salt-minion-2019.2.0-6.27.1")) flag++;
if (rpm_check(release:"SLED15", sp:"1", reference:"python2-salt-2019.2.0-6.27.1")) flag++;
if (rpm_check(release:"SLED15", sp:"1", reference:"python3-salt-2019.2.0-6.27.1")) flag++;
if (rpm_check(release:"SLED15", sp:"1", reference:"salt-2019.2.0-6.27.1")) flag++;
if (rpm_check(release:"SLED15", sp:"1", reference:"salt-doc-2019.2.0-6.27.1")) flag++;
if (rpm_check(release:"SLED15", sp:"1", reference:"salt-minion-2019.2.0-6.27.1")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "salt");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2020 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#    copyright notice, this list of conditions and the following
#    disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#    published online in any format, converted to PDF, PostScript,
#    RTF and other formats) must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
# 
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

include("compat.inc");

if (description)
{
  script_id(136687);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/18");

  script_cve_id("CVE-2020-11651", "CVE-2020-11652");
  script_xref(name:"IAVA", value:"2020-A-0195");

  script_name(english:"FreeBSD : salt -- multiple vulnerabilities in salt-master process (6bf55af9-973b-11ea-9f2c-38d547003487)");
  script_summary(english:"Checks for updated packages in pkg_info output");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote FreeBSD host is missing one or more security-related
updates."
  );
  script_set_attribute(
    attribute:"description",
    value:
"F-Secure reports : CVE-2020-11651 - Authentication bypass
vulnerabilities The ClearFuncs class processes unauthenticated
requests and unintentionally exposes the _send_pub() method, which can
be used to queue messages directly on the master publish server. Such
messages can be used to trigger minions to run arbitrary commands as
root.

The ClearFuncs class also exposes the method _prep_auth_info(), which
returns the 'root key' used to authenticate commands from the local
root user on the master server. This 'root key' can then be used to
remotely call administrative commands on the master server. This
unintentional exposure provides a remote un-authenticated attacker
with root-equivalent access to the salt master.

CVE-2020-11652 - Directory traversal vulnerabilities The wheel module
contains commands used to read and write files under specific
directory paths. The inputs to these functions are concatenated with
the target directory and the resulting path is not canonicalized,
leading to an escape of the intended path restriction.

The get_token() method of the salt.tokens.localfs class (which is
exposed to unauthenticated requests by the ClearFuncs class) fails to
sanitize the token input parameter which is then used as a filename,
allowing insertion of '..' path elements and thus reading of files
outside of the intended directory. The only restriction is that the
file has to be deserializable by salt.payload.Serial.loads()."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://labs.f-secure.com/advisories/saltstack-authorization-bypass"
  );
  # https://blog.f-secure.com/new-vulnerabilities-make-exposed-salt-hosts-easy-targets/
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?f051ee1b"
  );
  # https://www.tenable.com/blog/cve-2020-11651-cve-2020-11652-critical-salt-framework-vulnerabilities-exploited-in-the-wild
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?4975c617"
  );
  # https://vuxml.freebsd.org/freebsd/6bf55af9-973b-11ea-9f2c-38d547003487.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?d05a29b3"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py27-salt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py32-salt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py33-salt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py34-salt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py35-salt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py36-salt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py37-salt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py38-salt");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/05/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/18");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"FreeBSD Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");

  exit(0);
}


include("audit.inc");
include("freebsd_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (pkg_test(save_report:TRUE, pkg:"py27-salt<2019.2.4")) flag++;
if (pkg_test(save_report:TRUE, pkg:"py27-salt>=3000<3000.2")) flag++;
if (pkg_test(save_report:TRUE, pkg:"py32-salt<2019.2.4")) flag++;
if (pkg_test(save_report:TRUE, pkg:"py32-salt>=3000<3000.2")) flag++;
if (pkg_test(save_report:TRUE, pkg:"py33-salt<2019.2.4")) flag++;
if (pkg_test(save_report:TRUE, pkg:"py33-salt>=3000<3000.2")) flag++;
if (pkg_test(save_report:TRUE, pkg:"py34-salt<2019.2.4")) flag++;
if (pkg_test(save_report:TRUE, pkg:"py34-salt>=3000<3000.2")) flag++;
if (pkg_test(save_report:TRUE, pkg:"py35-salt<2019.2.4")) flag++;
if (pkg_test(save_report:TRUE, pkg:"py35-salt>=3000<3000.2")) flag++;
if (pkg_test(save_report:TRUE, pkg:"py36-salt<2019.2.4")) flag++;
if (pkg_test(save_report:TRUE, pkg:"py36-salt>=3000<3000.2")) flag++;
if (pkg_test(save_report:TRUE, pkg:"py37-salt<2019.2.4")) flag++;
if (pkg_test(save_report:TRUE, pkg:"py37-salt>=3000<3000.2")) flag++;
if (pkg_test(save_report:TRUE, pkg:"py38-salt<2019.2.4")) flag++;
if (pkg_test(save_report:TRUE, pkg:"py38-salt>=3000<3000.2")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2020-564.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(136306);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/13");

  script_cve_id("CVE-2020-11651", "CVE-2020-11652");
  script_xref(name:"IAVA", value:"2020-A-0195");

  script_name(english:"openSUSE Security Update : salt (openSUSE-2020-564)");
  script_summary(english:"Check for the openSUSE-2020-564 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update for salt fixes the following issues :

  - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)

This update was imported from the SUSE:SLE-15-SP1:Update update
project."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1170595"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected salt packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11651");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python2-salt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-salt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-bash-completion");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-cloud");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-fish-completion");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-master");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-minion");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-proxy");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-ssh");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-standalone-formulas-configuration");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-syndic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-zsh-completion");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/04/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/04");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE15.1", reference:"python2-salt-2019.2.0-lp151.5.15.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"python3-salt-2019.2.0-lp151.5.15.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"salt-2019.2.0-lp151.5.15.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"salt-api-2019.2.0-lp151.5.15.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"salt-bash-completion-2019.2.0-lp151.5.15.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"salt-cloud-2019.2.0-lp151.5.15.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"salt-fish-completion-2019.2.0-lp151.5.15.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"salt-master-2019.2.0-lp151.5.15.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"salt-minion-2019.2.0-lp151.5.15.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"salt-proxy-2019.2.0-lp151.5.15.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"salt-ssh-2019.2.0-lp151.5.15.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"salt-standalone-formulas-configuration-2019.2.0-lp151.5.15.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"salt-syndic-2019.2.0-lp151.5.15.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"salt-zsh-completion-2019.2.0-lp151.5.15.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python2-salt / python3-salt / salt / salt-api / etc");
}

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(136402);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/13");

  script_cve_id("CVE-2020-11651", "CVE-2020-11652");
  script_xref(name:"EDB-ID", value:"48421");
  script_xref(name:"IAVA", value:"2020-A-0195");

  script_name(english:"SaltStack < 2019.2.4 / 3000.x < 3000.2 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The version of SaltStack running on the remote server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the instance of SaltStack hosted on the remote server is prior to
2019.2.4, 3000.x prior to 3000.2. It is, therefore, affected by multiple vulnerabilities:

  - An authentication bypass vulnerabilities exists in the ClearFuncs class due to improper validation of
    method calls. An unauthenticated, remote attacker can exploit this by accessing exposed methods to trigger
    minions to run arbitrary commands as root, or to retrieve the root key to authenticate commands from the
    local root user on the master server. (CVE-2020-11651)

  - A directory traversal vulnerabilities exists in the ClearFuncs class due to improper path sanitization. An
    authenticated, remote attacker can exploit this by accessing the exposed get_token() method which allows
    the insertion of double periods in the filename parameter to read files outside of the intended directory.
    The only restriction is that the file has to be deserializable by salt.payload.Serial.loads().
    (CVE-2020-11652)");
  # https://labs.f-secure.com/advisories/saltstack-authorization-bypass
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4df67f57");
  script_set_attribute(attribute:"solution", value:
"Upgrade to SaltStack version 2019.2.4, 3000.2 or later.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11651");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/04/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:saltstack:salt");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("saltstack_salt_linux_installed.nbin");
  script_require_keys("installed_sw/SaltStack Salt Master");

  exit(0);
}

include('vcf.inc');

app_info = vcf::get_app_info(app:'SaltStack Salt Master');

constraints = [
  { 'fixed_version' : '2019.2.0', 'fixed_display' : '2019.2.4, 3000.2 or later.' },
  { 'min_version' : '2019.2.0', 'fixed_version' : '2019.2.4' },
  { 'min_version' : '3000.0', 'fixed_version' : '3000.2' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);