Critical SaltStack Vulnerabilities Rapidly Weaponized – Patch Now

Summary

Two critical vulnerabilities identified as CVE-2020-11651 and CVE-2020-11652 have been discovered in SaltStack and were quickly exploited, affecting millions of users. SaltStack is widely used by organizations to automate IT tasks – such as vulnerability identification and remediation – to secure infrastructure using a single command and control layer. The vulnerabilities, first discovered by F-Secure, allow threat actors to bypass authentication to run arbitrary commands as root, resulting in full remote command execution on both the master and connected minions. F-Secure publicly released the vulnerabilities on April 30, 2020 but did not provide proof-of-concept code, warning that an exploit could be easily developed within a 24-hour period - exploitation began merely 48 hours after publication. F-Secure identified that, “over 6,000 instances of this service are exposed to the public internet.”

Recommendations

The NJCCIC urges SaltStack users who have not configured servers to automatically receive updates to immediately apply patches found in the 3000.2 release for versions 3000 to 3000.2, and for previous versions up to and including 2019.2.4. Additionally, we recommend users ensure proper network security controls are in place and, at a minimum, restrict access to default salt master ports (4505 and 4506). Further details can be found in the Hacker News article.