The Salt Project has patched a privilege escalation bug impacting SaltStack Salt minions that could be used during a wider exploit chain.
The vulnerability, CVE-2020-28243, is described as a privilege escalation bug impacting SaltStack Salt minions allowing “an unprivileged user to create files in any non-blacklisted directory via a command injection in a process name.”
The bug has been given a severity rating of 7.0 and impacts Salt versions before 3002.5.
SaltStack’s Salt is an open-source project and software designed for automation and infrastructure management.
In November, Immersive Labs’ security researcher Matthew Rollings performed a scan on the tool using Bandit, a Python application security scanner and came across the bug as a result.
Salt includes a master system and minions, of which the latter facilitates commands sent to the master, and both often run as root. Rollings discovered a command injection vulnerability in minions when the master system summons a process called restart check.
Exploits can be triggered if attackers use crafted process names, permitting local users to escalate their privileges on root — as long as they can create files on a minion in a non-forbidden directory.
With further investigation, the researcher noted it might also be possible to perform container escapes, including completing the exploit “within a container to gain command execution as root on the host machine.”
Also, Rollings said the vulnerability “may be performed by an attacker without local shell access, [and] under certain circumstances, remote users can influence process names.” However, this form of attack is considered “unlikely” and could be difficult to trigger.
The Salt Project resolved the vulnerability in a February security release. The group also patched other high-impact bugs, including CVE-2021-3197, a shell injection flaw in Salt-API’s SSH client; CVE-2021-25281, an eAuth security issue that could allow remote attackers to run any wheel modules on the master, and CVE-2021-25283, a failure to protect against server-side template injection attacks.
