The new releases of centralized configuration management system SaltStack 3002.5, 3001.6 and 3000.8 resolve a vulnerability (CVE-2020-28243) that could allow an unprivileged local host user to elevate their privileges in the system. The problem is caused by a bug in the salt-minion handler used to accept commands from the central server. The vulnerability was discovered in November, but has only been fixed now.
When performing the βrestartcheckβ operation, it is possible to substitute arbitrary commands through manipulations with the process name. In particular, the request for the presence of a package was carried out by launching the package manager with an argument received based on the process name. The package manager is launched by calling popen in shell mode, but without escaping special characters. By changing the process name and using characters like ";" and "|" you can organize the execution of your code.
In addition to the noted problem, 3002.5 more vulnerabilities have been fixed in SaltStack 9:
- CVE-2021-25281 - Due to the lack of proper authorization verification, a remote attacker can launch any wheel module on the side of the controlling master server by calling SaltAPI and compromise the entire infrastructure.
- CVE-2021-3197 - An issue in the minion SSH module that allows arbitrary shell commands to be executed via argument substitution with the "ProxyCommand" setting or passing ssh_options via the API.
- CVE-2021-25282 - Unauthorized access to wheel_async allows a SaltAPI call to overwrite a file outside the base directory and execute arbitrary code on the system.
- CVE-2021-25283 - Out of base directory in SaltAPI's wheel.pillar_roots.write handler allows you to add an arbitrary template to the jinja renderer.
- CVE-2021-25284 - Passwords set via webutils ended up in plain text in /var/log/salt/minion .
- CVE-2021-3148 - Capable of command substitution via SaltAPI salt.utils.thin.gen_thin() call.
- CVE-2020-35662 - Missing SSL certificate validation in default configuration.
- CVE-2021-3144 - Ability to use auth auth tokens after they expire.
- CVE-2020-28972 - The server's SSL/TLS certificate was not checked in the code, which allowed MITM attacks.
Source: opennet.ru