[Pkg-salt-team] Bug#959684: salt: CVE-2020-11651 and CVE-2020-11652
Guilhem Moulin
guilhem at debian.org
Mon May 4 00:34:33 BST 2020
Source: salt
Version: 2018.3.4+dfsg1-6
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 2018.3.4+dfsg1-6
Control: found -1 2016.11.2+ds-1+deb9u2
Control: found -1 2014.1.13+ds-3
Control: notfound -1 3000.2+dfsg1-1
Dear Maintainer,
These CVEs were assigned last Wednesday but I'm filing this as it seems
they're not tracked in the BTS yet.
CVE-2020-11651
--------------
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000
before 3000.2. The salt-master process ClearFuncs class does not
properly validate method calls. This allows a remote user to access
some methods without authentication. These methods can be used to
retrieve user tokens from the salt master and/or _run arbitrary
commands on salt minions_. [emphasis mine]
CVE-2020-11652
--------------
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000
before 3000.2. The salt-master process ClearFuncs class allows access
to some methods that improperly sanitize paths. These methods allow
arbitrary directory access to authenticated users.
As seen for instance at https://github.com/saltstack/salt/issues/57057
the vulnerabilities are being exploited in wild already; compromised
salt masters do allow attackers to run arbitrary commands on the minions
as root.
See also https://labs.f-secure.com/advisories/saltstack-authorization-bypass .
Cheers,
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-salt-team/attachments/20200504/35af8522/attachment.sig>
More information about the pkg-salt-team
mailing list