On April 30th, F-Secure researchers released an advisory on two vulnerabilities (CVE-2020-11651 and CVE-2020-11652), which allowed attackers to gain full remote command execution as root on all SaltStack endpoints. SaltStack is a popular open-source Python based framework that allows for easy task automation, data collection, configuration, and updates through the use of a master server which can create tasks and minion servers that execute the tasks. The vulnerabilities described allow attackers who connect to the port that the minion servers use to request data, and then bypass all authentication and authorization controls, essentially giving them full control over the “master” server.
Shortly after the vulnerabilities were announced, reports began arriving of high-profile companies receiving attacks leveraging this vulnerability. Companies reporting attacks included the blogging platform Ghost, and LineageOS Project, which maintains a popular community of Android firmware. Both Ghost and LineageOS reportedly had to take down servers because cryptomining malware installed by attackers used all available CPU resources. Additionally, DigiCert reported that a certificate transparency log server (used by certificate authorities to publicly announce the certificates they issue) was affected, giving actors access to the keys used to sign Signed Certificate Timestamps (SCTs). With this power, the attackers deployed cryptomining malware to DigiCert’s servers and didn’t use the keys for much else.
Analyst Notes
The vulnerability advisory was released one day after SaltStack released version 3000.2 and 2019.2.4 for their framework, which patches the vulnerabilities found by F-Secure. Binary Defense recommends patching SaltStack frameworks immediately as this bug is critical. Even though F-Secure did not release a proof of concept of the code, exploits were occurring mere days later. SaltStack should not be accessible via the Internet, but a scan by F-Secure revealed that over 6,000 Salt Master servers were exposed and vulnerable. Servers should be continuously monitored to detect any unusual behavior that may indicate an attacker has gained control of the server. Endpoint Detection and Response (EDR) tools give security analysts early warning of attacks and the ability to quickly respond to threats.
https://www.csoonline.com/article/3541721/cloud-servers-hacked-via-critical-saltstack-vulnerabilities.html
