Critical Saltstack CVEs Allow For Infrastructure Takeover
This week Saltstack announced two critical vulnerabilities, CVE-2020-11651 and CVE-2020-11652. These vulnerabilities allow an attacker to bypass both authentication and authorization controls to effectively take over anything Saltstack is managing; this includes cloud infrastructure, servers, databases, and in some cases even user endpoints like laptops.
While it’s not uncommon for critical vulnerabilities to drop a few times throughout the year, this one is particularly concerning because it’s not just about taking control of one machine – an attacker could potentially own an organization’s entire infrastructure – regardless of controls like multifactor authentication, strong passwords, TLS, or semi-annual vulnerability scans.
Earlier this week the Censys team started scanning the Internet for Salt servers and discovered 5,122 exposed and likely vulnerable Salt servers connected to the Internet. This is notable since Salt masters should NEVER be directly accessible from the Internet, and is also a recommended best practice by the company. So it’s probably worth double-checking your firewall rules for all Internet exposed services, even if it is “Read-Only Friday ????”. Olle Segerdahl, the F-Secure Engineer credited with finding and disclosing this vulnerability is quoted as saying, “Patch by Friday or compromised by Monday”. If you’d like to get access to our data for research purposes, reach out here with a short description of your project.
While you’re here and about to break your “Read-Only Friday ????” rules, we thought it might be a good time to address some other software that probably needs to be updated. Below is a shortlist of common server/software versions that we frequently see in the wild that will 100% cause you a bad time if left unpatched.
- Apache (Current Version: 2.4.43)
- Apache 2.2 Servers (End of Life in 2015) – Just swap in your IP address or CIDR
- Critical Vulnerability in older Apache 2.4 versions
- PHP (Current Version: 8.0)
- Any version less than 7.2 is ???? and should be updated.
- Currently, we see approximately 1,153,000 instances of out-of-date PHP
- Nginx (Current Version: 1.17.0)
- They only maintain two versions that get updates. So, unless you’re running v16 or v17 – you’ve got a little work to do.
- See all 10.8 Million servers that need patching! Are you one of them?
- The Operating System (with a restart)
- It’s worth checking to be sure your operating systems – for servers and endpoints are up-to-date.
- If this isn’t already automated for security patches, now might be a good time to set that up. If it makes you feel better, have it kick-off on during the week, so you don’t break “Read-Only Friday ????” every week.
Server maintenance is never fun and unfortunately, even the tools that are supposed to make our job easier require maintenance from time to time. If you are running a Saltstack server update as soon as possible and consider limiting its external exposure to the Internet and while you’re at it, do some spring cleaning and make sure the controls you think you have in place are effective and working correctly.
We plan on publishing follow-ups to this to track whether we’re seeing a reduction in the total number of exposed Salt servers, to try and understand whether security events like this lead to an improvement in overall security hygiene.