Vulnerabilities > CVE-2020-11652 - Path Traversal vulnerability in multiple products

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
saltstack
opensuse
debian
canonical
blackberry
vmware
CWE-22
nessus
exploit available
metasploit

Summary

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.

Vulnerable Configurations

Part Description Count
Application
Saltstack
176
Application
Blackberry
12
Application
Vmware
2
OS
Opensuse
1
OS
Debian
3
OS
Canonical
2

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Relative Path Traversal
    An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
  • Directory Traversal
    An attacker with access to file system resources, either directly or via application logic, will use various file path specification or navigation mechanisms such as ".." in path strings and absolute paths to extend their range of access to inappropriate areas of the file system. The attacker attempts to either explore the file system for recon purposes or access directories and files that are intended to be restricted from their access. Exploring the file system can be achieved through constructing paths presented to directory listing programs, such as "ls" and 'dir', or through specially crafted programs that attempt to explore the file system. The attacker engaging in this type of activity is searching for information that can be used later in a more exploitive attack. Access to restricted directories or files can be achieved through modification of path references utilized by system applications.
  • File System Function Injection, Content Based
    An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
  • Using Slashes and URL Encoding Combined to Bypass Validation Logic
    This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

Exploit-Db

idEDB-ID:48421
last seen2020-05-05
modified2020-05-05
published2020-05-05
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/48421
titleSaltstack 3000.1 - Remote Code Execution

Metasploit

Nessus

  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-3_0-0091_SALT3.NASL
    descriptionAn update of the salt3 package has been released.
    last seen2020-05-21
    modified2020-05-18
    plugin id136699
    published2020-05-18
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136699
    titlePhoton OS 3.0: Salt3 PHSA-2020-3.0-0091
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2020-3.0-0091. The text
    # itself is copyright (C) VMware, Inc.
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(136699);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/18");
    
      script_cve_id("CVE-2020-11651", "CVE-2020-11652");
      script_xref(name:"IAVA", value:"2020-A-0195");
    
      script_name(english:"Photon OS 3.0: Salt3 PHSA-2020-3.0-0091");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote PhotonOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "An update of the salt3 package has been released.");
      script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-3.0-91.md");
      script_set_attribute(attribute:"solution", value:
    "Update the affected Linux packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11651");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/05/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/18");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:salt3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:3.0");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 3\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 3.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-2019.2.4-1.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-api-2019.2.4-1.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-cloud-2019.2.4-1.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-master-2019.2.4-1.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-minion-2019.2.4-1.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-proxy-2019.2.4-1.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-spm-2019.2.4-1.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-ssh-2019.2.4-1.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", reference:"salt3-syndic-2019.2.4-1.ph3")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "salt3");
    }
    
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-1_0-0294_SALT.NASL
    descriptionAn update of the salt package has been released.
    last seen2020-05-21
    modified2020-05-18
    plugin id136694
    published2020-05-18
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136694
    titlePhoton OS 1.0: Salt PHSA-2020-1.0-0294
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2020-1.0-0294. The text
    # itself is copyright (C) VMware, Inc.
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(136694);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/18");
    
      script_cve_id("CVE-2020-11651", "CVE-2020-11652");
      script_xref(name:"IAVA", value:"2020-A-0195");
    
      script_name(english:"Photon OS 1.0: Salt PHSA-2020-1.0-0294");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote PhotonOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "An update of the salt package has been released.");
      script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-1.0-294.md");
      script_set_attribute(attribute:"solution", value:
    "Update the affected Linux packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11651");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/05/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/18");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:salt");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    if (rpm_check(release:"PhotonOS-1.0", reference:"salt-2019.2.4-1.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"salt-api-2019.2.4-1.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"salt-cloud-2019.2.4-1.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"salt-master-2019.2.4-1.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"salt-minion-2019.2.4-1.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"salt-proxy-2019.2.4-1.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"salt-spm-2019.2.4-1.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"salt-ssh-2019.2.4-1.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"salt-syndic-2019.2.4-1.ph1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "salt");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4676.NASL
    descriptionSeveral vulnerabilities were discovered in salt, a powerful remote execution manager, which could result in retrieve of user tokens from the salt master, execution of arbitrary commands on salt minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-api hosts.
    last seen2020-06-02
    modified2020-05-07
    plugin id136372
    published2020-05-07
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136372
    titleDebian DSA-4676-1 : salt - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-4676. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(136372);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01");
    
      script_cve_id("CVE-2019-17361", "CVE-2020-11651", "CVE-2020-11652");
      script_xref(name:"DSA", value:"4676");
      script_xref(name:"IAVA", value:"2020-A-0195");
    
      script_name(english:"Debian DSA-4676-1 : salt - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "Several vulnerabilities were discovered in salt, a powerful remote
    execution manager, which could result in retrieve of user tokens from
    the salt master, execution of arbitrary commands on salt minions,
    arbitrary directory access to authenticated users or arbitrary code
    execution on salt-api hosts."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949222"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959684"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/source-package/salt"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/stretch/salt"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/buster/salt"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2020/dsa-4676"
      );
      script_set_attribute(
        attribute:"solution",
        value:
    "Upgrade the salt packages.
    
    For the oldstable distribution (stretch), these problems have been
    fixed in version 2016.11.2+ds-1+deb9u3.
    
    For the stable distribution (buster), these problems have been fixed
    in version 2018.3.4+dfsg1-6+deb10u1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:salt");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/05/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/07");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"10.0", prefix:"salt-api", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++;
    if (deb_check(release:"10.0", prefix:"salt-cloud", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++;
    if (deb_check(release:"10.0", prefix:"salt-common", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++;
    if (deb_check(release:"10.0", prefix:"salt-doc", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++;
    if (deb_check(release:"10.0", prefix:"salt-master", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++;
    if (deb_check(release:"10.0", prefix:"salt-minion", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++;
    if (deb_check(release:"10.0", prefix:"salt-proxy", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++;
    if (deb_check(release:"10.0", prefix:"salt-ssh", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++;
    if (deb_check(release:"10.0", prefix:"salt-syndic", reference:"2018.3.4+dfsg1-6+deb10u1")) flag++;
    if (deb_check(release:"9.0", prefix:"salt-api", reference:"2016.11.2+ds-1+deb9u3")) flag++;
    if (deb_check(release:"9.0", prefix:"salt-cloud", reference:"2016.11.2+ds-1+deb9u3")) flag++;
    if (deb_check(release:"9.0", prefix:"salt-common", reference:"2016.11.2+ds-1+deb9u3")) flag++;
    if (deb_check(release:"9.0", prefix:"salt-doc", reference:"2016.11.2+ds-1+deb9u3")) flag++;
    if (deb_check(release:"9.0", prefix:"salt-master", reference:"2016.11.2+ds-1+deb9u3")) flag++;
    if (deb_check(release:"9.0", prefix:"salt-minion", reference:"2016.11.2+ds-1+deb9u3")) flag++;
    if (deb_check(release:"9.0", prefix:"salt-proxy", reference:"2016.11.2+ds-1+deb9u3")) flag++;
    if (deb_check(release:"9.0", prefix:"salt-ssh", reference:"2016.11.2+ds-1+deb9u3")) flag++;
    if (deb_check(release:"9.0", prefix:"salt-syndic", reference:"2016.11.2+ds-1+deb9u3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-1151-1.NASL
    descriptionThis update for salt fixes the following issues : Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-15
    modified2020-04-30
    plugin id136170
    published2020-04-30
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136170
    titleSUSE SLES15 Security Update : salt (SUSE-SU-2020:1151-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2020:1151-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(136170);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/13");
    
      script_cve_id("CVE-2020-11651", "CVE-2020-11652");
      script_xref(name:"IAVA", value:"2020-A-0195");
    
      script_name(english:"SUSE SLES15 Security Update : salt (SUSE-SU-2020:1151-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for salt fixes the following issues :
    
    Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1170595"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2020-11651/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2020-11652/"
      );
      # https://www.suse.com/support/update/announcement/2020/suse-su-20201151-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?6df3c979"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server for SAP 15 :
    
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1151=1
    
    SUSE Linux Enterprise Server 15-LTSS :
    
    zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1151=1
    
    SUSE Linux Enterprise High Performance Computing 15-LTSS :
    
    zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1151=1
    
    SUSE Linux Enterprise High Performance Computing 15-ESPOS :
    
    zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1151=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11651");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python2-salt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python3-salt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-cloud");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-master");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-minion");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-proxy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-ssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-syndic");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/30");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES15", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    if (cpu >!< "s390x") audit(AUDIT_ARCH_NOT, "s390x", cpu);
    
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES15" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP0", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"python2-salt-2019.2.0-5.67.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"python3-salt-2019.2.0-5.67.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-2019.2.0-5.67.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-api-2019.2.0-5.67.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-cloud-2019.2.0-5.67.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-doc-2019.2.0-5.67.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-master-2019.2.0-5.67.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-minion-2019.2.0-5.67.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-proxy-2019.2.0-5.67.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-ssh-2019.2.0-5.67.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-standalone-formulas-configuration-2019.2.0-5.67.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"salt-syndic-2019.2.0-5.67.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "salt");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-1150-1.NASL
    descriptionThis update for salt fixes the following issues : Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-15
    modified2020-04-30
    plugin id136169
    published2020-04-30
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136169
    titleSUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:1150-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2020:1150-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(136169);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/13");
    
      script_cve_id("CVE-2020-11651", "CVE-2020-11652");
      script_xref(name:"IAVA", value:"2020-A-0195");
    
      script_name(english:"SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:1150-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for salt fixes the following issues :
    
    Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1170595"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2020-11651/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2020-11652/"
      );
      # https://www.suse.com/support/update/announcement/2020/suse-su-20201150-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?85e05fec"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Module for Server Applications 15-SP1:zypper in
    -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1150=1
    
    SUSE Linux Enterprise Module for Python2 15-SP1:zypper in -t patch
    SUSE-SLE-Module-Python2-15-SP1-2020-1150=1
    
    SUSE Linux Enterprise Module for Basesystem 15-SP1:zypper in -t patch
    SUSE-SLE-Module-Basesystem-15-SP1-2020-1150=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11651");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python2-salt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python3-salt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-cloud");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-master");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-minion");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-proxy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-ssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:salt-syndic");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/30");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED15|SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED15 / SLES15", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES15" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP1", os_ver + " SP" + sp);
    if (os_ver == "SLED15" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLED15 SP1", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES15", sp:"1", reference:"salt-api-2019.2.0-6.27.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"salt-cloud-2019.2.0-6.27.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"salt-master-2019.2.0-6.27.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"salt-proxy-2019.2.0-6.27.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"salt-ssh-2019.2.0-6.27.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"salt-standalone-formulas-configuration-2019.2.0-6.27.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"salt-syndic-2019.2.0-6.27.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"python2-salt-2019.2.0-6.27.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"python3-salt-2019.2.0-6.27.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"salt-2019.2.0-6.27.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"salt-doc-2019.2.0-6.27.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"salt-minion-2019.2.0-6.27.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"python2-salt-2019.2.0-6.27.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"python3-salt-2019.2.0-6.27.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"salt-2019.2.0-6.27.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"salt-doc-2019.2.0-6.27.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"salt-minion-2019.2.0-6.27.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "salt");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_6BF55AF9973B11EA9F2C38D547003487.NASL
    descriptionF-Secure reports : CVE-2020-11651 - Authentication bypass vulnerabilities The ClearFuncs class processes unauthenticated requests and unintentionally exposes the _send_pub() method, which can be used to queue messages directly on the master publish server. Such messages can be used to trigger minions to run arbitrary commands as root. The ClearFuncs class also exposes the method _prep_auth_info(), which returns the
    last seen2020-05-22
    modified2020-05-18
    plugin id136687
    published2020-05-18
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136687
    titleFreeBSD : salt -- multiple vulnerabilities in salt-master process (6bf55af9-973b-11ea-9f2c-38d547003487)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2020 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(136687);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/18");
    
      script_cve_id("CVE-2020-11651", "CVE-2020-11652");
      script_xref(name:"IAVA", value:"2020-A-0195");
    
      script_name(english:"FreeBSD : salt -- multiple vulnerabilities in salt-master process (6bf55af9-973b-11ea-9f2c-38d547003487)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "F-Secure reports : CVE-2020-11651 - Authentication bypass
    vulnerabilities The ClearFuncs class processes unauthenticated
    requests and unintentionally exposes the _send_pub() method, which can
    be used to queue messages directly on the master publish server. Such
    messages can be used to trigger minions to run arbitrary commands as
    root.
    
    The ClearFuncs class also exposes the method _prep_auth_info(), which
    returns the 'root key' used to authenticate commands from the local
    root user on the master server. This 'root key' can then be used to
    remotely call administrative commands on the master server. This
    unintentional exposure provides a remote un-authenticated attacker
    with root-equivalent access to the salt master.
    
    CVE-2020-11652 - Directory traversal vulnerabilities The wheel module
    contains commands used to read and write files under specific
    directory paths. The inputs to these functions are concatenated with
    the target directory and the resulting path is not canonicalized,
    leading to an escape of the intended path restriction.
    
    The get_token() method of the salt.tokens.localfs class (which is
    exposed to unauthenticated requests by the ClearFuncs class) fails to
    sanitize the token input parameter which is then used as a filename,
    allowing insertion of '..' path elements and thus reading of files
    outside of the intended directory. The only restriction is that the
    file has to be deserializable by salt.payload.Serial.loads()."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://labs.f-secure.com/advisories/saltstack-authorization-bypass"
      );
      # https://blog.f-secure.com/new-vulnerabilities-make-exposed-salt-hosts-easy-targets/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?f051ee1b"
      );
      # https://www.tenable.com/blog/cve-2020-11651-cve-2020-11652-critical-salt-framework-vulnerabilities-exploited-in-the-wild
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?4975c617"
      );
      # https://vuxml.freebsd.org/freebsd/6bf55af9-973b-11ea-9f2c-38d547003487.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?d05a29b3"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py27-salt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py32-salt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py33-salt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py34-salt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py35-salt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py36-salt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py37-salt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py38-salt");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/05/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/18");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"py27-salt<2019.2.4")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"py27-salt>=3000<3000.2")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"py32-salt<2019.2.4")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"py32-salt>=3000<3000.2")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"py33-salt<2019.2.4")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"py33-salt>=3000<3000.2")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"py34-salt<2019.2.4")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"py34-salt>=3000<3000.2")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"py35-salt<2019.2.4")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"py35-salt>=3000<3000.2")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"py36-salt<2019.2.4")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"py36-salt>=3000<3000.2")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"py37-salt<2019.2.4")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"py37-salt>=3000<3000.2")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"py38-salt<2019.2.4")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"py38-salt>=3000<3000.2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-564.NASL
    descriptionThis update for salt fixes the following issues : - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) This update was imported from the SUSE:SLE-15-SP1:Update update project.
    last seen2020-05-15
    modified2020-05-04
    plugin id136306
    published2020-05-04
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136306
    titleopenSUSE Security Update : salt (openSUSE-2020-564)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2020-564.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(136306);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/13");
    
      script_cve_id("CVE-2020-11651", "CVE-2020-11652");
      script_xref(name:"IAVA", value:"2020-A-0195");
    
      script_name(english:"openSUSE Security Update : salt (openSUSE-2020-564)");
      script_summary(english:"Check for the openSUSE-2020-564 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for salt fixes the following issues :
    
      - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)
    
    This update was imported from the SUSE:SLE-15-SP1:Update update
    project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1170595"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected salt packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11651");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python2-salt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-salt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-bash-completion");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-cloud");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-fish-completion");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-master");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-minion");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-proxy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-ssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-standalone-formulas-configuration");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-syndic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:salt-zsh-completion");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/04");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE15.1", reference:"python2-salt-2019.2.0-lp151.5.15.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"python3-salt-2019.2.0-lp151.5.15.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"salt-2019.2.0-lp151.5.15.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"salt-api-2019.2.0-lp151.5.15.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"salt-bash-completion-2019.2.0-lp151.5.15.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"salt-cloud-2019.2.0-lp151.5.15.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"salt-fish-completion-2019.2.0-lp151.5.15.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"salt-master-2019.2.0-lp151.5.15.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"salt-minion-2019.2.0-lp151.5.15.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"salt-proxy-2019.2.0-lp151.5.15.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"salt-ssh-2019.2.0-lp151.5.15.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"salt-standalone-formulas-configuration-2019.2.0-lp151.5.15.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"salt-syndic-2019.2.0-lp151.5.15.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"salt-zsh-completion-2019.2.0-lp151.5.15.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python2-salt / python3-salt / salt / salt-api / etc");
    }
    
  • NASL familyMisc.
    NASL idSALTSTACK_3000_2_MULTIPLE_VULNERABILITIES.NASL
    descriptionAccording to its self-reported version number, the instance of SaltStack hosted on the remote server is prior to 2019.2.4, 3000.x prior to 3000.2. It is, therefore, affected by multiple vulnerabilities: - An authentication bypass vulnerabilities exists in the ClearFuncs class due to improper validation of method calls. An unauthenticated, remote attacker can exploit this by accessing exposed methods to trigger minions to run arbitrary commands as root, or to retrieve the root key to authenticate commands from the local root user on the master server. (CVE-2020-11651) - A directory traversal vulnerabilities exists in the ClearFuncs class due to improper path sanitization. An authenticated, remote attacker can exploit this by accessing the exposed get_token() method which allows the insertion of double periods in the filename parameter to read files outside of the intended directory. The only restriction is that the file has to be deserializable by salt.payload.Serial.loads(). (CVE-2020-11652)
    last seen2020-05-15
    modified2020-05-07
    plugin id136402
    published2020-05-07
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136402
    titleSaltStack < 2019.2.4 / 3000.x < 3000.2 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(136402);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/13");
    
      script_cve_id("CVE-2020-11651", "CVE-2020-11652");
      script_xref(name:"EDB-ID", value:"48421");
      script_xref(name:"IAVA", value:"2020-A-0195");
    
      script_name(english:"SaltStack < 2019.2.4 / 3000.x < 3000.2 Multiple Vulnerabilities");
    
      script_set_attribute(attribute:"synopsis", value:
    "The version of SaltStack running on the remote server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the instance of SaltStack hosted on the remote server is prior to
    2019.2.4, 3000.x prior to 3000.2. It is, therefore, affected by multiple vulnerabilities:
    
      - An authentication bypass vulnerabilities exists in the ClearFuncs class due to improper validation of
        method calls. An unauthenticated, remote attacker can exploit this by accessing exposed methods to trigger
        minions to run arbitrary commands as root, or to retrieve the root key to authenticate commands from the
        local root user on the master server. (CVE-2020-11651)
    
      - A directory traversal vulnerabilities exists in the ClearFuncs class due to improper path sanitization. An
        authenticated, remote attacker can exploit this by accessing the exposed get_token() method which allows
        the insertion of double periods in the filename parameter to read files outside of the intended directory.
        The only restriction is that the file has to be deserializable by salt.payload.Serial.loads().
        (CVE-2020-11652)");
      # https://labs.f-secure.com/advisories/saltstack-authorization-bypass
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4df67f57");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to SaltStack version 2019.2.4, 3000.2 or later.");
      script_set_attribute(attribute:"agent", value:"unix");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11651");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'SaltStack Salt Master/Minion Unauthenticated RCE');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/07");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:saltstack:salt");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("saltstack_salt_linux_installed.nbin");
      script_require_keys("installed_sw/SaltStack Salt Master");
    
      exit(0);
    }
    
    include('vcf.inc');
    
    app_info = vcf::get_app_info(app:'SaltStack Salt Master');
    
    constraints = [
      { 'fixed_version' : '2019.2.0', 'fixed_display' : '2019.2.4, 3000.2 or later.' },
      { 'min_version' : '2019.2.0', 'fixed_version' : '2019.2.4' },
      { 'min_version' : '3000.0', 'fixed_version' : '3000.2' }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-2223.NASL
    descriptionSeveral vulnerabilities were discovered in package salt, a configuration management and infrastructure automation software. CVE-2020-11651 The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. CVE-2020-11652 The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. For Debian 8
    last seen2020-06-06
    modified2020-06-01
    plugin id136979
    published2020-06-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136979
    titleDebian DLA-2223-1 : salt security update
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-1_0-0294_SALT3.NASL
    descriptionAn update of the salt3 package has been released.
    last seen2020-05-21
    modified2020-05-18
    plugin id136695
    published2020-05-18
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136695
    titlePhoton OS 1.0: Salt3 PHSA-2020-1.0-0294

Packetstorm

The Hacker News

References