SaltStack Issues Second Fix for a Privilege Escalation Bug
The second flaw was not as severe as the original CVE, but still could have caused a low-impact denial-of-service.
On February 4th, the Salt Project patched a privilege escalation bug impacting SaltStack Salt minions that could have been used during a wider exploit chain. This first attempt to patch the issue partially failed, therefore a secondary fix for a command injection vulnerability has been issued.
The CVE-2020-28243 vulnerability is described as a privilege escalation bug impacting SaltStack Salt minions. The flaw “allows for a local privilege escalation by any user able to create a file on the minion in a non-blacklisted directory.” The bug was given a 7.0 severity rate, impacting Salt versions before 3002.5.
The vulnerability was first discovered by Immersive Labs’ cybersecurity analyst Matthew Rollings in November 2020.
The minion’s restartcheck was vulnerable to command injection via a crafted process name, when the process has open file descriptors associated with (deleted) at the end of a filename. (Note, the leading space is required for the injection to function.) This allowed any local user to escalate their privileges to root, provided they were able to create files on the minion in a directory that was not explicitly forbidden.
The initial fix did prevent command injection, but did not go far enough and still allowed argument injections, Rollings says. Although not as severe as the original issue, failing to patch this problem could have led to denial-of-service and software crashes. To prevent command injections, the first fix issued by the Salt Project added shlex, a command shell sanitizing library, which, in Rollings’ opinion, was a mistake as it doesn’t provide any additional protection.
Nevertheless, once the error was noticed and reported, SaltStack privately shared the second attempt prior to publication.
SaltStack’s updated fix for CVE-2020-28243
The final solution SaltStack implemented avoids the need to use shlex to escape the command string as it builds an array that is passed to popen. This ensures that the package name can only ever be a single argument as spaces and quotes will be escaped automatically.