Mitigating High Severity CVEs Affecting SaltStack on Public Clouds

Two high-severity CVEs in the SaltStack platform were published last week by researchers at F-Secure. These vulnerabilities can enable remote code execution (RCE), which lets attackers remotely execute commands on the Salt leader node. This results in a full compromise of the host and can expose sensitive information within the cloud environment. To address this, Aqua CSPM has been updated with new plugins that check AWS, Azure, and GCP environments for these new vulnerabilities.

You can now find the details in the National Vulnerability Database. Both vulnerabilities are rated as high severity.

CVE-2020-11651 …the salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
CVE-2020-11652 …the salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.

Salt has since published updates that patch these vulnerabilities. However, over the last few days, there has been a steady increase in the number of companies reporting unpatched, compromised SaltStack instances.

Preventing Exploits of These CVEs

While we recommend that the updates be installed immediately, cloud admins should also take this opportunity to ensure their Salt environments are not exposed publicly, which is a key enabling component of this attack vector. Automatically scanning the configuration of these specific services across clouds is exactly what Aqua CSPM is about.

SALT CVE SS

Mitigation with Aqua CSPM

We released three new plugins for Aqua CSPM to help address these issues, which are being enabled immediately for our customers. These plugins detect the exposure of ports 4505 and 4506 to the public internet (0.0.0.0/0) via instance security group rules. These nodes should have their security groups updated to only allow traffic from known IP addresses belonging to the Salt minions and required administrative endpoints.

AWS EC2 Open Salt
Azure Network Security Groups Open Salt
Google VPC Network Open Salt

One Aqua CSPM customer has already used this capability to scan their environment and found no fewer than 20 exposed instances. These plugins are also available via CloudSploit, our open source CSPM auditing tool.

Although the importance of detecting cloud-based risks and quickly remediating them has become very apparent, this latest issue still serves as a solid reminder. Ensuring the security of your public cloud IaaS and detecting configuration issues across any cloud is more important than ever. But adding to that is the significance of getting detailed, actionable direction and enabling users to quickly fix and re-evaluate issues as they come up – something that is served well by the extensible, plugin-based architecture of Aqua CSPM, across multiple cloud services.

Matt Fuller

Matthew Fuller is an accomplished founder and entrepreneur in the cloud security space. Before founding CloudSploit he managed teams of infrastructure engineers in cloud development. That's when he recognized the difficulties in developing truly secure workloads in complex cloud environments, that led him to develop a cloud configuration monitoring service, CloudSploit. As part of Aqua Security, Matthew now oversees Aqua's expansion to SaaS-based cloud security monitoring. Residing in New York City, Matt enjoys interacting with the ever-growing security and startup scene and connecting with like-minded entrepreneurs.