Last week Salt official community website came up with a vulnerability affecting Salt Master versions 2019.2.3 and 3000.1 and earlier.
For More information on this refer to : https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/
As per the Common Vulnerability and Exposure there are two CVE that are released:
CVE-2020-11651:
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
For More information: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651
CVE-2020-11652:
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.
For More information: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11652
Affected Products and their Article:
Vmware vRealize Operations Manager ( vRops)
The Application Remote Collector (ARC) introduced with vRealize Operations Manager 7.5 utilizes Salt which is affected by CVE-2020-11651 and CVE-2020-11652. VMware has evaluated CVE-2020-11651 (Authentication Bypass) to be in the Critical severity range with a maximum CVSSv3 base score of 10.0 and CVE-2020-11652 (Directory Traversal) to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
As per the Article https://kb.vmware.com/s/article/79031, there is no Fix yet but there is a workaround that is shared by Vmware as a Temporary fix:
To implement the workaround for CVE-2020-11651 and CVE-2020-11652 on Application Remote Collector – 7.5, 8.0, 8.0.1, or 8.1, perform the following steps.
- Log into the Application Remote Collector as root via SSH or console pressing ALT+F1 in a Console to log in.
- Run the following command to back up the current iptables rules:
iptables-save > /ucp/iptables.out
3. Run the following commands to add the iptables rules to block salt docker ports:
iptables -I DOCKER 1 -p tcp --dport 4505 -j DROP
iptables -I DOCKER 1 -p tcp --dport 4506 -j DROP
4. Repeat steps 1-3 on all Application Remote Collectors.
For more information and to get updates on Permanent Fix, refer to : VMSA-2020-0009 : https://www.vmware.com/security/advisories/VMSA-2020-0009.html
Debian
Debian is Tacking this Bug with the Below Links:
Bug 949222 : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949222
Bug 959684 : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959684
OpenSUSE Security Announcement:
An update that fixes two vulnerabilities is now available.
This update for salt fixes the following issues:
– Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Patch Instructions:
- To install this openSUSE Security Update use the SUSE recommended
- installation methods like YaST online_update or “zypper patch”.
- Alternatively you can run the command listed for your product:
- openSUSE Leap 15.1:
For More information please refer to: https://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html