Hackers hit remotely rootable SaltStack systems

SaltStack digital infrastructure automation systems are presently under attack with two critical vulnerabilties that allow remote code execution with the root superuser privileges being exploited.

The flaws were found by Finnish security vendor F-Secure early last month, and affect the SaltStack Salt master which sends updates to Salt minions that control servers, often large amounts of them.

Remote attackers can exploit the CVE-2020-11651 flaw to get un-authenticated access to Salt masters with root-equivalent privileges, F-Secure said.

A directory traversal vulnerability (CVE-2020-11652) allows attackers to escape path restrictions and to read files outside the intended directory.

F-Secure said that the vulnerabilities that are rated as the highest 10.0 severity, and added that they are reliable and simple to exploit.

You are a SaltStack user and since few hours all your minions' CPU are stuck at 100 % ? You see processes like /var/tmp/salt-store and /tmp/salt-minions running ?
Your Salt Master has been hacked and used for sending rogue command to your minions. Upgrade your Salt version ASAP.

— Jonathan (@TehHarry) May 3, 2020

The Salt Open Core Team of developers have confirmed the vulnerability in Salt master version 3000.1 and earlier, and released the patched versions 3000.2 and 2019.2.4.

Although SaltStack warns users not to expose the Salt master to the internet, F-Secure researcher Olle Segerdahl found 6000 vulnerable systems openly accessible, which he said are very popular in clouds like Amazon Web Services and Google Compute Platform. 

Segerdahl warned customers last Friday to patch the Salt vulnerabilities or face being exploited.

Over the weekend, several organisations such as the LineageOS Android distribution, the Ghost blogging platform, and the DigiCert private key infrastructure management company were compromised using the Salt vulnerabilties.

Although the remote root access could be used to exfiltrate data such as digital keys stored by DigiCert and deploying ransomware, they appear to have so far only installed crypto currency mining software.

In the case of Ghost, the crypto miner overloaded the organisation's servers causing an outage.