Critical Vulnerability With Salt Effecting Vmware vRealize Operation Manager (VMSA-2020-0009)

Critical Vulnerability With Salt Effecting Vmware vRealize Operation Manager CVE-2020-11651 CVE-2020-11652 VMSA-2020-0009

Last week Salt official community website came up with a vulnerability affecting Salt Master versions 2019.2.3 and 3000.1 and earlier. 

For More information on this refer to : https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/

As per the Common Vulnerability and Exposure there are two CVE that are released:

CVE-2020-11651:

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

For More information: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651

CVE-2020-11652:

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.

For More information: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11652

Affected Products and their Article:

Vmware vRealize Operations Manager ( vRops)

The Application Remote Collector (ARC) introduced with vRealize Operations Manager 7.5 utilizes Salt which is affected by CVE-2020-11651 and CVE-2020-11652. VMware has evaluated CVE-2020-11651 (Authentication Bypass) to be in the Critical severity range with a maximum CVSSv3 base score of 10.0 and CVE-2020-11652 (Directory Traversal) to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

As per the Article https://kb.vmware.com/s/article/79031, there is no Fix yet but there is a workaround that is shared by Vmware as a Temporary fix:

To implement the workaround for CVE-2020-11651 and CVE-2020-11652 on Application Remote Collector – 7.5, 8.0, 8.0.1, or 8.1, perform the following steps.

  1. Log into the Application Remote Collector as root via SSH or console pressing ALT+F1 in a Console to log in.
  2. Run the following command to back up the current iptables rules:
iptables-save > /ucp/iptables.out

3. Run the following commands to add the iptables rules to block salt docker ports:

iptables -I DOCKER 1 -p tcp --dport 4505 -j DROP
iptables -I DOCKER 1 -p tcp --dport 4506 -j DROP

4. Repeat steps 1-3 on all Application Remote Collectors.

For more information and to get updates on Permanent Fix, refer to : VMSA-2020-0009 : https://www.vmware.com/security/advisories/VMSA-2020-0009.html

 

Debian

Debian is Tacking this Bug with the Below Links:

Bug 949222 : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949222

Bug 959684 : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959684

 

OpenSUSE Security Announcement:

An update that fixes two vulnerabilities is now available.

This update for salt fixes the following issues:

– Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)

This update was imported from the SUSE:SLE-15-SP1:Update update project.

 

Patch Instructions:

  • To install this openSUSE Security Update use the SUSE recommended
  • installation methods like YaST online_update or “zypper patch”.
  • Alternatively you can run the command listed for your product:
    - openSUSE Leap 15.1:

For More information please refer to: https://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html

Ashutosh Dixit

I am currently working as a Senior Technical Support Engineer with VMware Premier Services for Telco. Before this, I worked as a Technical Lead with Microsoft Enterprise Platform Support for Production and Premier Support. I am an expert in High-Availability, Deployments, and VMware Core technology along with Tanzu and Horizon.

Leave a Reply