[SB 20.16] critical flaw in SaltStack may lead to RCE and Infrastructure-compromise (CVE-2020-11651 )

On 2020-04-30 F-Secure published an Advisory with some critical Bugs in Saltstack, leading to a complete compromise of the Salt-Master and possibly Minions.

SwitHak released an more detailed CheatSheet on that issue, highlighting all essential information.

saltsstack swithak

While releasing this a day before holidays in europe, various ORGs got compromised within 1 day or 2:

DigiCert: CT2 Log Compromised via Salt Vulnerability
Ghost: Hackers breach Ghost blogging platform to mine cryptocurrency
Hackers breach LineageOS servers via unpatched vulnerability
Cisco

POCs exists:

salt-cve-check.py
Initial PoC of CVE-2020-11651 and CVE-2020-11652

PostMortem - Analysis

Algolia: Salt Incident: May 3rd 2020 Retrospective and Update
saltexploit.com

Saltstack-Release-Notes (Link)

saltsstack release notes {% .img-responsive %}

Updates:

2020-05-05 - new sources and detailed information
2020-05-06 - PostMortem
2020-05-28 - more fallout

Fragen? Kontakt: info@zero.bs

Filed: Mon 04 May 2020 | Security Bulletin | Tags: sb saltstack rce exploit

[SB 20.16] critical flaw in SaltStack may lead to RCE and Infrastructure-compromise (CVE-2020-11651 )

POCs exists:

PostMortem - Analysis

Updates:

Main-Links

Blog

OSS & Projects