SaltStack Vulnerabilities Continue to Wreak Havoc on Enterprises Like Cisco

June 1, 2020

SaltStack, the open-source software for event-driven IT and security automation, has been in news for quite some time due to the critical vulnerabilities. Very recently, hackers had targeted the US-based networking giant Cisco.

Cisco attacked

Hackers targeted the Cisco infrastructure by leveraging the known critical vulnerabilities in SaltStack, which were then immediately patched by them.

  • In May 2020, hackers leveraged an already known authentication bypass vulnerability (CVE-2020-11651) and the directory traversal (CVE-2020-11652) in SaltStack servers to gain access to Cisco’s six backend servers.
  • On the same day, Cisco disclosed that some of its Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) backend servers (version 1.2 and 1.3) were vulnerable to these Salt vulnerabilities.
  • The Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), which can be deployed as a standalone server or cluster configurations, are impacted due to implementation of vulnerable SaltStack versions.

Brief history of SaltStack vulnerabilities

Hackers have been actively using the same SaltStack vulnerabilities to target several other organizations as well.

  • The vulnerabilities, that resides in Salt's default communication channel ZeroMQ, were first identified and communicated to the SaltStack security team by F-Secure Labs in March.
  • The initial research suggested that there were around 6000 vulnerable Salt servers actively being used over the internet.
  • SaltStack had quickly released the patch for the vulnerabilities and urged its users to update the Salt Master to release 2019.2.4 or the release 3000.2.
  • But apparently hackers were even more active than the security teams in several organizations, as hackers quickly started leveraging the vulnerabilities to target unpatched servers. So far, DigiCert, LineageOS, Vates (Xen Orchestra creators), Algolia, and the Ghost blogging platform have been targeted by the SaltStack vulnerabilities.

Additional facts

There are a large number of organizations, including several renowned multi-national companies, that are known to be using the SaltStack software, and that may be facing the same threat.

  • The official announcement by Salt says that “Salt Master is exposed to the open internet.” This means all the cloud-based implementations may also be under the risk of a breach. It is worthwhile to note that Salt Cloud supports 25 public and private cloud systems including AWS, Azure, VMware, IBM Cloud, and OpenStack.
  • The Salt management software is said to be implemented by several enterprises, including IBM, Lego, Dish, eBay, LinkedIn, Finserv, Ericsson, and more. Usage reports also suggest that 67% of SaltStack customers are in the US while 6% are in the United Kingdom.

Stay safe

Users can patch their SaltStack implementation by updating the Salt Master to the released patches: 2019.2.4 release or the 3000.2 release.

Read the original article and additional information at Cyware Social