Skip to content

Instantly share code, notes, and snippets.

@SwitHak
Last active February 4, 2021 10:57
Show Gist options
  • Save SwitHak/8e7fa45b5656c691ddf13c8c47e8fda6 to your computer and use it in GitHub Desktop.
Save SwitHak/8e7fa45b5656c691ddf13c8c47e8fda6 to your computer and use it in GitHub Desktop.
BlueTeam CheatSheet * CVE-2020-11651 * SaltStack | Last updated: 2020-06-03 0938 UTC

CVE-2020-11651 AKA SaltStack RCE

  • Currently no cool name, what are you doing @GossiTheDog ? ;)

General

  • A critical vulnerability have been discovered by FSECURE Labs team in the SaltStack product.
  • The vulnerability is a Remote Code Execution with the higher CVSS number possible 10/10 and the CVE number is CVE-2020-11651.
  • there's also another vulnerability referenced under the CVE-2020-11652, discovered in the same time also per FSECURE.
  • The vulnerability is actively exploited (Some says since Saturday morning 2020-05-02) and several exploits are in the wild.
  • We currently knows at least 5 victims, even big names are concerned.
  • This is not a drill or something you can patch later, act now.
  • Note: due to a typofail, there's a problem with the new release, we recommend to modifiy the typo fail in the code when updated:
    • Part of the fix for CVE-2020-11651 added better validation of the methods allowed to be called by remote clients.
    • Both AESFuncs and ClearFuncs now have an explicit list of methods that can be called.
    • The name of one of these whitlisted methods on AESFuncs had a typo.
    • The _minion_runner method should be minion_runner (without the underscore prefix).
    • This typo breaks the publish module’s runner method.
    • Calling runners will not work, and you will receive and empty reply from the salt master.
    • This will be addressed in the Sodium release of Salt set for mid-June 2020.

Affected products and versions:

  • SaltStack Salt
    • All before 2019.2.4
    • All before 3000.2

Patches

  • Patches available !
  • Even for the unsupported versions (Nice move SaltStack) Request them here

VMware

VMware vRealize Operations

Exploit status

  • RCE available publicly
  • Actively exploited, several victims
  • Used to mining crypto currencies, implant backdoors and RAT AFAIK

Vulnerability details

Authentication bypass vulnerabilities (CVE-2020-11651)

  • The ClearFuncs class processes unauthenticated requests and unintentionally exposes the _send_pub() method, which can be used to queue messages directly on the master publish server.
  • Such messages can be used to trigger minions to run arbitrary commands as root.
  • The ClearFuncs class also exposes the method _prep_auth_info(), which returns the "root key" used to authenticate commands from the local root user on the master server.
  • This "root key" can then be used to remotely call administrative commands on the master server.
  • This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master.

Directory traversal vulnerabilities (CVE-2020-11652)

  • The wheel module contains commands used to read and write files under specific directory paths.
  • The inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction.
  • The get_token() method of the salt.tokens.localfs class (which is exposed to unauthenticated requests by the ClearFuncs class) fails to sanitize the token input parameter which is then used as a filename, allowing insertion of ".." path elements and thus reading of files outside of the intended directory.
  • The only restriction is that the file has to be deserializable by salt.payload.Serial.loads().

More

Detection

FSECURE

  • Exploitation of the authentication vulnerabilities will result in the ASCII strings "_prep_auth_info" or "_send_pub" appearing in data sent to the request server port (default 4506). These strings should not appear in normal, benign, traffic.
  • Published messages to minions are called "jobs" and will be saved on the master (default path /var/cache/salt/master/jobs/).
  • These saved jobs can be audited for malicious content or job ids ("jids") that look out of the ordinary. Lack of suspicious jobs should not be interpreted as absence of exploitation however.

SNORT

  • 2030071 - ET EXPLOIT Possible Saltstack Authentication Bypass CVE-2020-11651 M1 (exploit.rules)
  • 2030072 - ET EXPLOIT Possible SaltStack Authentication Bypass CVE-2020-11651 M2 (exploit.rules)

Script from rossengeorgiev

Mitigation

  • You can add some IPTABLES restrictions, if you know your minions IPs, on the Saltstack server interfaces listening (default ports: 4505 & 4506)

Post-compromise

  • An interesting tool is published by Daniel Wozniak to regenerates your compromised keys
  • BEWARE: Read carefully the code, some minions will be unable to reconnect if they're not connected during the process.

Sources:

FSECURE (Primary Source)

SaltStack

OpenSUSE

OpenBSD

DEBIAN

Huawei Cloud

OpenMediaVault (OMV)

Tencent

Cisco

NVD

Errors, typos, something to say ?

  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment