Two high-severity CVEs in the SaltStack platform were published last week by researchers at F-Secure. These vulnerabilities can enable remote code execution (RCE), which lets attackers remotely execute commands on the Salt leader node. This results in a full compromise of the host and can expose sensitive information within the cloud environment. To address this, Aqua CSPM has been updated with new plugins that check AWS, Azure, and GCP environments for these new vulnerabilities.
You can now find the details in the National Vulnerability Database. Both vulnerabilities are rated as high severity.
Salt has since published updates that patch these vulnerabilities. However, over the last few days, there has been a steady increase in the number of companies reporting unpatched, compromised SaltStack instances.
While we recommend that the updates be installed immediately, cloud admins should also take this opportunity to ensure their Salt environments are not exposed publicly, which is a key enabling component of this attack vector. Automatically scanning the configuration of these specific services across clouds is exactly what Aqua CSPM is about.
We released three new plugins for Aqua CSPM to help address these issues, which are being enabled immediately for our customers. These plugins detect the exposure of ports 4505 and 4506 to the public internet (0.0.0.0/0) via instance security group rules. These nodes should have their security groups updated to only allow traffic from known IP addresses belonging to the Salt minions and required administrative endpoints.
One Aqua CSPM customer has already used this capability to scan their environment and found no fewer than 20 exposed instances. These plugins are also available via CloudSploit, our open source CSPM auditing tool.
Although the importance of detecting cloud-based risks and quickly remediating them has become very apparent, this latest issue still serves as a solid reminder. Ensuring the security of your public cloud IaaS and detecting configuration issues across any cloud is more important than ever. But adding to that is the significance of getting detailed, actionable direction and enabling users to quickly fix and re-evaluate issues as they come up – something that is served well by the extensible, plugin-based architecture of Aqua CSPM, across multiple cloud services.
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads, wherever they are deployed.
Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.