The Salt Project has patched a privilege escalation bug impacting SaltStack Salt minions that could be used during a wider exploit chain. 

The vulnerability, CVE-2020-28243, is described as a privilege escalation bug impacting SaltStack Salt minions allowing “an unprivileged user to create files in any non-blacklisted directory via a command injection in a process name.” 

The bug has been given a severity rating of 7.0 and impacts Salt versions before 3002.5.

SaltStack’s Salt is an open-source project and software designed for automation and infrastructure management. 

In November, Immersive Labs’ security researcher Matthew Rollings performed a scan on the tool using Bandit, a Python application security scanner and came across the bug as a result. 

Salt includes a master system and minions, of which the latter facilitates commands sent to the master, and both often run as root. Rollings discovered a command injection vulnerability in minions when the master system summons a process called restart check.

Exploits can be triggered if attackers use crafted process names, permitting local users to escalate their privileges on root — as long as they can create files on a minion in a non-forbidden directory. 

With further investigation, the researcher noted it might also be possible to perform container escapes, including completing the exploit “within a container to gain command execution as root on the host machine.”

Also, Rollings said the vulnerability “may be performed by an attacker without local shell access, [and] under certain circumstances, remote users can influence process names.” However, this form of attack is considered “unlikely” and could be difficult to trigger. 

The Salt Project resolved the vulnerability in a February security release. The group also patched other high-impact bugs, including CVE-2021-3197, a shell injection flaw in Salt-API’s SSH client; CVE-2021-25281, an eAuth security issue that could allow remote attackers to run any wheel modules on the master, and CVE-2021-25283, a failure to protect against server-side template injection attacks. 

Priyanshu Vijayvargiya

Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a Reply

Your email address will not be published. Required fields are marked *