Passing total control of your data center to hackers through CVE-2020-11651, CVE-2020-11652

Olle Segerdahl, a database security audit specialist at F-Secure, has revealed two vulnerabilities in Salt, an open source software that some organizations use to maintain data centers and cloud environments.  

The expert and his team discovered these security flaws during a routine analysis at the end of March. Vulnerabilities, tracked as CVE-2020-11651 and CVE-2020-11652, can be exploited by threat actors to bypass the authentication controls used by Salt (consisting of a “master server” and a “minion server”). Exploiting these flaws, malicious hackers can execute remote code with root privileges on the master server, thus compromising the active minion servers.

In a potential attack scenario, a hacker could use the master server to gain great processing power and conduct a cryptocurrency mining campaign, although this is just one of many possibilities. According to database security audit experts, hackers could also install backdoors to access the compromised network and steal sensitive data, as well as deploy ransomware or even threaten the victim with disclosing sensitive information.

The vulnerabilities received a score of 10/10 on the Common Vulnerability Scoring System (CVSS) scale, so they are considered critical errors. It should be remembered that the score of 10 on this scale is only given to priority errors according to the National Vulnerability Database (NVD).

A relevant incident related to these failures is the discovery of 6000 Salt master servers recently discovered on the Internet. “I expected this figure to be much lower; when these failures are disclosed to the public, hackers begin to exploit exposed hosts, as they are more vulnerable,” says the database security audit expert.

The vulnerabilities affect Salt version 3000.1 and earlier, i.e. virtually all versions in use of this software prior to the SaltStack upgrade. Although hackers would have, in theory, greater difficulties in reaching hidden hosts on the Internet, they could still be exploited if attackers otherwise access corporate networks.  

As a security measure, Segerdahl recommends that administrators enable automatic saltStack upgrade, which will deploy upcoming security patches immediately. The International Institute of Cyber Security (IICS) also recommends restricting access to Salt’s master ports or at least blocking open Internet hosts.