A Minion Privilege Escalation Exploit was Fixed in SaltStack Project
The bug in question allowed the attackers to perform a series of privilege escalation attacks.
Salt is one of the largest open source communities in the world, based on automation and Infrastructure management.
A vulnerability, named CVE-2020-28243, was identified as a privilege escalation bug impacting SaltStack Salt minions. This allowed an unprivileged user to create files in any non-blacklisted directory via a command injection in a process name.
‘An issue was discovered in SaltStack Salt versions before 3002.5. The minion’s restartcheck is vulnerable to command injection via a crafted process name. This allows a local privilege escalation by any user able to create a file on the minion in a non-blacklisted directory.’
The bug is considered to have a 7.0 severity rating and it can impact all Salt versions previous to 3002.5.
On their website, Saltproject released a statement regarding this CVE, announcing the release of a security update to address 10 vulnerabilities with severity rating Medium to High, and stated also that the solution to fix this specific breach is to Remove shell usage in the restartcheck module.
Salt is created from a master system and minions, these two components being the facilitators of the commands sent to the master, both often running as root.
System admins waste 30% of their time manually managing user
rights or installations
Heimdal™ Privileged Access
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
How was the bug found?
Last year, in November, Immersive Labs’ security researcher Matthew Rollings ran a scan on Saltproject using Bandit, a Python application security scanner and came across the bug as a result.
Through this check he discovered a command injection vulnerability in minions that is happening when the master system summons a process called restartcheck, therefore exploits can be triggered if attackers use crafted process names, permitting local users to escalate their privileges on root.
With further investigation, the researcher noted it may also be possible to perform container escapes, including performing the exploit “within a container to gain command execution as root on the host machine.”
Matthew Rollings also stated that the vulnerability
“may be performed by an attacker without local shell access, and under certain circumstances, remote users can influence process names. However, this form of attack is considered “unlikely” and could be difficult to trigger.”