====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN132
_____________________________________________________________________

DATE                : 04/03/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Salt versions prior to 3002.5,
                                   3001.6, 3000.8.

=====================================================================
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
_____________________________________________________________________


Active SaltStack CVE Release 2021-FEB-25

The Salt Project has released a security update to address 10
vulnerabilities with severity rating Medium to High. We strongly
recommend prioritizing this update.

This is a security release. In the recent past, we have gone above and
beyond our lifecycle policy in good faith to fix critical issues in
versions no longer supported. Going forward, this will be the exception
and not standard practice. We will follow our stated lifecycle policy
found here Salt Project Lifecycle Support page.

The following CVEs were fixed as part of this release:

CVE Details

NOTE: The CVSS ratings listed below use Access Complexity “High” in case
the issue cannot be exploited in a default configuration. CVSS
Calculator can be found here.


CVE-2021-3197

    Impact: the SaltAPI with the SSH module installed and running on the
    minion. This module is not running by default.
    Description: The Salt-API’s SSH client is vulnerable to a shell
    injection by including ProxyCommand in an argument, or via
    ssh_options provided in an API request.
    Solution: Filters out ProxyCommand from arguments passed via the CLI
    or netapi How to Mitigate: Update to the latest Salt release,
    package or patch file
    Attribution: Reported by Daniel Jensen @dozernz
    Severity Rating: 7.0 High

CVE-2021-25281

    Impact: The SaltAPI does not honor eauth credentials for the
    wheel_async client. Thus, an attacker can remotely run any wheel
    modules on the master.
    Description: The Salt-API does not have eAuth credentials for the
    wheel_async client
    Solution: Honor (enforce) eauth credentials for wheel_async calls
    How to Mitigate: Update to the latest Salt release, package or patch
    file
    Attribution: 1mperio@Tencent Yunding Security Lab and
     Daniel Jensen @dozernz
    Severity Rating: 8.1 High

CVE-2021-25282

    Impact: Unauthorized access wheel_async through salt-api can execute
    arbitrarily code/command.
    Description: The salt.wheel.pillar_roots.write method is vulnerable
    to directory traversal.
    Solution: Fix directory traversal in wheel.pillar_roots.write
    How to Mitigate: Update to the latest Salt release, packages or
    patch file
    Attribution: 1mperio@Tencent Yunding Security Lab and
     Daniel Jensen @dozernz
    Severity Rating: 5.1 Medium

CVE-2021-25283

    Impact: Via the SaltAPI fix directory traversal in
    wheel.pillar_roots.write
    Description: The jinja renderer does not protect against server-side
    template injection attacks.
    Solution: We enabled the jinja renderer safe mode as a default in
    Salt
    How to Mitigate: Update to the latest Salt release, package or patch
    file
    Attribution: 1mperio@Tencent Yunding Security Lab
    Severity Rating: 8.1 High

CVE-2021-25284

    Impact: Run a highstate against a machine which doesn’t already have
    the htpasswd file created and errors are reported but the state is
    applied, correctly. This issue is not present in a default
    configuration of Salt.
    Description: webutils write passwords in cleartext to
     /var/log/salt/minion
    Solution: Previously, cmdmod might log passwords to info and error
    levels; now, cmdmod will only log the command name, not the full
    command
    How to Mitigate: Update to the latest Salt release, package or patch
    file
    Attribution: Reported by Carlos https://github.com/nzlosh
    Severity Rating: 4.1 Medium

CVE-2021-3148

    Impact: Via the SaltAPI a command is constructed from formatted
    string and can be truncated if there are single quotes in
    extra_mods, since json.dumps() escapes double quotes while leaving
    the single quotes untouched.
    Description: command injection in salt.utils.thin.gen_thin()
    Solution: Remove shell usage in thin utils
    How to Mitigate: Update to the latest version of Salt via packages
    or patch files
    Attribution: Reported by Ruikai Lui lrk700@gmail.com
    Severity Rating: 6.8 Medium

CVE-2020-35662

    Impact: SSL cert not verified by default
    Description: Several places where Salt was not verifying the SSL
    cert by default
    Solution: Now, SSL cert is verified by default
    How to Mitigate: Update the minion to the latest release, package or
    patch file
    Severity Rating: 7.4 High

CVE-2021-3144

    Impact: eauth tokens can be used once after expiration
    Description: Token can be used once after expiration
    Solution: Method returns empty dictionary if token is expired
    How to Mitigate: Update to the latest Salt release, package or patch
    file
    Attribution: Reported by Ken Crowell https://github.com/oeuftete
    Severity Rating: 7.4 High

CVE-2020-28972

    Impact: Code base not validating SSL/TLS certificate of the server,
    which might allow attackers to obtain sensitive information via a
    man-in-the-middle attack
    Description: Missing validation on SSL cert
    Solution: Default VMware modules to verify SSL by default
    How to Mitigate: Update to the latest Salt release, package or patch
    file
    Attribution: Reported by Long Nguyen Van ngvlongit1@gmail.com
    Severity Rating: 7.4 High

CVE-2020-28243

    Impact: A privilege escalation is possible on a SaltStack minion
    when an unprivileged user is able to create files in any
    non-blacklisted directory via a command injection in a process name.
    Description: Local Privilege Escalation in the Minion
    Solution: Remove shell usage in the restartcheck module
    How to Mitigate: Update the minion to the latest release, package or
    patch file
    Attribution: Reported by Matthew Rollings
matthew.rollings@immersivelabs.com
    Severity Rating: 7.0 High


Packages and Patches

Packages

Updated packages can be found at https://repo.saltproject.io for these
supported versions of Salt. These versions have been updated for this
CVE release:

    3002.5
    3001.6
    3000.8

Important: During the CVE release process during testing a regression
was found. We communicated this here which delayed the release. Please
note the version numbers will not match a conventional order.


Patches

Security patch files can be found here:
https://gitlab.com/saltstack/open/salt-patches please note in the
readme.md links to each patch file per version. Due to the regression
found, there are more than one file per version to apply.

Patches are available for the following versions:

    3002.2
    3001.4
    3000.6
    2019.2.8
    2019.2.5
    2018.3.5
    2017.7.8
    2016.11.10
    2016.11.6
    2016.11.5
    2016.11.3
    2016.3.8
    2016.3.6
    2016.3.4
    2015.8.13
    2015.8.10

NOTE: If you are running an older version of Salt not listed on either
of these sites, please update to a different version before applying an
available patch.


Additional Resources

    KB article: Upgrading Your Salt Infrastructure
    Salt Docs: Best Way to Restart a Salt Minion Daemon with Salt After
Upgrade



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================