====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN242
_____________________________________________________________________

DATE                : 04/05/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Salt versions prior to 2019.2.4,
                                          3000.2.

=====================================================================
https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html
_____________________________________________________________________


Salt 2019.2.4 Release Notes

Version 2019.2.4 is a CVE-fix release for 2019.2.0.


Security Fix

CVE-2020-11651

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000
before 3000.2. The salt-master process ClearFuncs class does not
properly validate method calls. This allows a remote user to access some
methods without authentication. These methods can be used to retrieve
user tokens from the salt master and/or run arbitrary commands on salt
minions.

CVE-2020-11652

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000
before 3000.2. The salt-master process ClearFuncs class allows access to
some methods that improperly sanitize paths. These methods allow
arbitrary directory access to authenticated users.


Known Issue

Part of the fix for CVE-2020-11651 added better validation of the
methods allowed to be called by remote clients. Both AESFuncs and
ClearFuncs now have an explicit list of methods that can be called. The
name of one of these whitlisted methods on AESFuncs had a typo. The
_minion_runner method should be minion_runner (without the underscore
prefix). This typo breaks the publish module’s runner method. Calling
runners, for example:

salt minion publish.runner manage.down

Will not work, and you will receive and empty reply from the salt
master.

This will be addressed in the Sodium release of Salt set for mid-June
2020.


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================