Home Malware Cloud servers hacked via critical SaltStack vulnerabilities

Cloud servers hacked via critical SaltStack vulnerabilities

by ethhack

Attackers are exploiting two critical vulnerabilities disclosed late last week in the popular SaltStack infrastructure automation software to take control of servers. Several organizations and open-source projects already had their servers hacked and had to shut down services over the weekend.

The attacks began a couple of days after the vulnerabilities were publicly disclosed without a proof-of-concept exploit being available, highlighting that IT operations teams have very little time to react when flaws become known and should increasingly rely on automated patching.

The Salt vulnerabilities

On April 30, researchers from security firm F-Secure published an advisory about two vulnerabilities — CVE-2020-11651 and CVE-2020-11652 — found in Salt, a popular open-source Python-based framework that’s used to automate tasks, data collection, configuration and updates for servers in private data centers or in the cloud. The Salt architecture involves the use of a master server where administrators can define tasks and clients called “minions” that execute them.

“The vulnerabilities described in this advisory allow an attacker who can connect to the ‘request server’ port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the ‘master’ server filesystem and steal the secret key used to authenticate to the master as root,” the F-Secure researchers said. “The impact is full remote command execution as root on both the master and all minions that connect to it.”

F-Secure published its advisory one day after SaltStack, the company that maintains Salt, released versions 3000.2 and 2019.2.4 of the framework to address the issues. Even though they decided to withhold the proof-of-concept exploit code to buy users more time, the F-Secure researchers warned at the time that “any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours.” The company also warned that based on internet scans, over 6,000 Salt master servers were directly exposed to the internet and could be directly targeted.

Salt exploit reports start coming in

Over the weekend, security experts reported on Twitter that they were seeing exploitation attempts for the Salt vulnerabilities. Confirmation of successful compromises then started coming in from different organizations.

Copyright © 2020 IDG Communications, Inc.

Source link

Related Articles

Leave a Comment