Security Vulnerability: Several CVEs in SALT
This document (000019887) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11
Situation
SaltStack announced a Security Release fixing several critical issues
The issues rank from privilege escalation, missing SSL/TLS certificate validation, directory traversal over to possible command injection.
Resolution
Cause
List of CVEs:
CVE-2020-28243 A privilege escalation is possible on a SaltStack minion when an unprivileged user is able to create files in any non-blacklisted directory via a command injection in a processes' name. Simply ending a file with "(deleted)" and keeping a file handler open to it is enough to trigger the exploit whenever a restart check is triggered from a SaltStack master.
- CVE-2020-28972 In SaltStack Salt v2015.8.0 through v3002.2, authentication to vCenter, vSphere, and ESXi servers does not always validate the SSL/TLS certificate.
- CVE-2021-3148 An issue was discovered in SaltStack Salt v2016.3.0 through v3002.2. Sending crafted web requests to the Salt API, when using the SSH client, can result in command injection.
- CVE-2021-25281 The Salt-API does not honor eAuth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
- CVE-2021-25282 The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.
- CVE-2021-25283 The jinja render does not protect against server-side template injection attacks.
- CVE-2021-3144 Token can be used once after expiration eauth tokens can be used once after expiration.
- CVE-2021-25284 Salt.modules.cmdmod can log credential to the “error” log level
- CVE-2021-3197 The Salt-API's SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.
- CVE-2020-35662 In SaltStack Salt v2015.8.0 through v3002.2, when authenticating to services using certain modules (asam runner, qingcloud, splunk returner, panos proxy, cimc proxy, zenoss module, esxi module, vsphere module, glassfish module, bigip module, and keystone module), the SSL certificate is not always validated.
Status
Additional Information
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000019887
- Creation Date: 25-Feb-2021
- Modified Date:26-Feb-2021
-
- SUSE Linux Enterprise Server
- SUSE Manager for Retail
- SUSE Manager Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com