Two high-severity CVEs in the SaltStack platform were published last week by researchers at F-Secure. These vulnerabilities can enable remote code execution (RCE), which lets attackers remotely execute commands on the Salt leader node. This results in a full compromise of the host and can expose sensitive information within the cloud environment. To address this, Aqua CSPM has been updated with new plugins that check AWS, Azure, and GCP environments for these new vulnerabilities.
You can now find the details in the National Vulnerability Database. Both vulnerabilities are rated as high severity.
Salt has since published updates that patch these vulnerabilities. However, over the last few days, there has been a steady increase in the number of companies reporting unpatched, compromised SaltStack instances.
While we recommend that the updates be installed immediately, cloud admins should also take this opportunity to ensure their Salt environments are not exposed publicly, which is a key enabling component of this attack vector. Automatically scanning the configuration of these specific services across clouds is exactly what Aqua CSPM is about.
We released three new plugins for Aqua CSPM to help address these issues, which are being enabled immediately for our customers. These plugins detect the exposure of ports 4505 and 4506 to the public internet (0.0.0.0/0) via instance security group rules. These nodes should have their security groups updated to only allow traffic from known IP addresses belonging to the Salt minions and required administrative endpoints.
One Aqua CSPM customer has already used this capability to scan their environment and found no fewer than 20 exposed instances. These plugins are also available via CloudSploit, our open source CSPM auditing tool.
Although the importance of detecting cloud-based risks and quickly remediating them has become very apparent, this latest issue still serves as a solid reminder. Ensuring the security of your public cloud IaaS and detecting configuration issues across any cloud is more important than ever. But adding to that is the significance of getting detailed, actionable direction and enabling users to quickly fix and re-evaluate issues as they come up – something that is served well by the extensible, plugin-based architecture of Aqua CSPM, across multiple cloud services.
Aqua Security enables enterprises to secure their container-based and cloud-native applications from development to production, accelerating container adoption and bridging the gap between DevOps and IT security.
Aqua’s Container Security Platform provides full visibility into container activity, allowing organizations to detect and prevent suspicious activity and attacks, providing transparent, automated security while helping to enforce policy and simplify regulatory compliance.