salt@3001 vulnerabilities

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Improper Certificate Validation via the VirtKey process when on-demand pillar data is requested and unvalidated input is used to construct paths to the pki directory. An attacker can overwrite file contents and potentially auto-accept Minion authentication keys by placing a crafted authorization file at a specific location.

Note:

This is only exploitable if the default configuration is used, which enables this functionality.

Upgrade salt to version 3006.12, 3007.4 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Directory Traversal via the minion file cache creation process. An attacker can write or overwrite files outside of the intended cache directory by supplying crafted input that exploits path traversal.

Upgrade salt to version 3006.12, 3007.4 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the _minion_event method. An attacker can inject unauthorized events onto the master's event bus by sending crafted requests from an authorized minion.

Upgrade salt to version 3006.12, 3007.4 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Improper Certificate Validation due to improper authentication in the salt.auth.pki module. An attacker can gain unauthorized access by providing only a public certificate in the password field, which is accepted without requiring the corresponding private key.

A fix was pushed into the master branch but not yet published.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input via the pub_ret method due to unsanitized input in the jid parameter used to construct file paths. An attacker can cause the worker process to become unresponsive or crash by supplying a crafted value that targets a special file, such as a pipe node in the proc file system, resulting in a denial of service.

Upgrade salt to version 3006.12, 3007.4 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Replay Attack via the request server process when a TLS encrypted transport is not used. An attacker can replay previously captured requests by intercepting and resending them over an unencrypted channel.

Upgrade salt to version 3006.12, 3007.4 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Improper Certificate Validation due to the skipping of minion token validation in multiple methods. An attacker can impersonate another minion by sending crafted requests to the master.

Upgrade salt to version 3006.12, 3007.4 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Arbitrary Command Injection via the on demand pillar process when a specially crafted git URL is provided. An attacker can execute arbitrary commands on the master with the same privileges as the master process by exploiting access to a minion key.

Upgrade salt to version 3006.12, 3007.4 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Directory Traversal via the recv_file function. An attacker can write arbitrary files to the master cache directory by sending crafted requests.

Upgrade salt to version 3006.12, 3007.4 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Directory Traversal via the serve_file method, due to insufficient checks in the salt/fileserver/roots.py file.

Upgrade salt to version 3005.5 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Directory Traversal when establishing the syndic cache directory on the master.

Upgrade salt to version 3005.5 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Improper Access Control. The Salt-SSH pre-flight option copies the script to the target at a predictable path, which allows an attacker to force Salt-SSH to run their script. If an attacker has access to the target VM and knows the path to the pre-flight script before it runs they can ensure Salt-SSH runs their script with the privileges of the user running Salt-SSH.

Upgrade salt to version 3005.4, 3006.4 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Information Exposure and other possible impacts, due to a hash collision when using Git Providers reading from different environments. If Git Providers read from the wrong environment because they get the same cache directory base name, they could get bad data or unintended data. This could also lead to wrongful executions, data corruption or a crash.

Upgrade salt to version 3005.2, 3006.2 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the error message decoding mechanism in minion return. If the request server receives a number of requests equal to the number of worker threads, the master will become unresponsive to return requests until it is restarted.

Upgrade salt to version 3005.2, 3006.2 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Buffer Overflow via the status function.

There is no fixed version for salt.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Denial of Service (DoS) in junos ifconfig output parsing.

Upgrade salt to version 3004.1 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Access Restriction Bypass where a previously authorized user whose account is locked can still run Salt commands. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth.

Workaround: If the user can not upgrade to the fixed version, it is possible to:

1. remove locked accounts rather than rely on Salt’s PAM eauth functionality.

2. change to a different eauth module.

Upgrade salt to version 3002.9, 3003.5, 3004.2 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Improper Access Control which allows users specified in the publisher_acl to publish authorized commands to any configured minion. Note: This requires a syndic master combined with publisher_acl configured on the Master-of-Masters.

Upgrade salt to version 3002.8, 3003.4, 3004.1 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Denial of Service (DoS). A MiTM attacker to force a minion process to stop by impersonating a master.

Upgrade salt to version 3002.8, 3003.4, 3004.1 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Access Restriction Bypass which can allow attackers to substitute arbitrary pillar data, because Salt Masters do not sign pillar data with the minion’s public key.

Upgrade salt to version 3002.8, 3003.4, 3004.1 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Authentication Bypass which can result in an attacker replaying job publishes causing minions to run old jobs. File server replies can also be re-played. A sufficient craft attacker could gain root access to minion under certain scenarios.

Upgrade salt to version 3002.8, 3003.4, 3004.1 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Privilege Escalation. A user who has control of the source and source_hash URLs, can gain full file system access as root on a salt minion.

Upgrade salt to version 3001.8, 3002.7, 3003.3 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Privilege Escalation. The salt minion installer will accept and use a minion config file at C:\salt\conf if that file is in place before the installer is run. This allows for a malicious actor to subvert the proper behavior of the given minion software.

The malicious actor must have access to a Windows system, permission to create directories and files on the root of the system drive, and create a malicious minion config at C:\salt\conf.

Upgrade salt to version 3001.8, 3002.7, 3003.3 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Command Injection via the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).

Upgrade salt to version 3003rc1 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Command Injection. The Salt-API’s SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.

Upgrade salt to version 3002.5, 3001.6, 3000.8 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Improper Authorization. The SaltAPI does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.

Upgrade salt to version 3002.5, 3001.6, 3000.8 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Directory Traversal. The salt.wheel.pillar_roots.write method is vulnerable to directory traversal. Unauthorized access to wheel_async through salt-api can execute arbitrarily code/command.

Upgrade salt to version 3002.5, 3001.6, 3000.8 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Server-side Template Injection (SSTI). The jinja renderer does not protect against server-side template injection attacks. This could be abused via the SaltAPI fix directory traversal in wheel.pillar_roots.write.

Upgrade salt to version 3002.5, 3001.6, 3000.8 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Command Injection. A command injection in salt.utils.thin.gen_thin() exists

Upgrade salt to version 3002.5, 3001.6, 3000.8 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Sensitive Data Exposure webutils write passwords in cleartext to /var/log/salt/minion.

Upgrade salt to version 3002.5, 3001.6, 3000.8 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). The SaltStack Code base not validating SSL/TLS certificate of the server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack

Upgrade salt to version 3002.5, 3001.6, 3000.8 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Sensitive Data Exposure eauth tokens can be used once after expiration.

Upgrade salt to version 3002.5, 3001.6, 3000.8 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Local Privilege Escalation. A privilege escalation is possible on a SaltStack minion when an unprivileged user is able to create files in any non-blacklisted directory via a command injection in a process name.

Upgrade salt to version 3002.5, 3001.6, 3000.8 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Improper Certificate Validation. Several places where Salt was not verifying the SSL cert by default. This has now been remediated.

Upgrade salt to version 3002.5, 3001.6, 3000.8 or higher.

salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.

Upgrade salt to version 3000.4, 3001.2 or higher.