info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
SaltStack Salt API Unauthenticated Remote Command Execution
1 view
Skip to first unread message
Sven Security Bot
Apr 1, 2021, 10:33:07 AM4/1/21
to
This Metasploit module leverages an authentication bypass and directory traversal
vulnerabilities in Saltstack Salt's REST API to execute commands remotely on the master
as the root user. Every 60 seconds, salt-master service performs a maintenance process
check that reloads and executes all the grains on the master, including custom grain
modules in the Extension Module directory. So, this module simply creates a Python script
at this location and waits for it to be executed. The time interval is set to 60 seconds
by default but can be changed in the master configuration file with the loop_interval
option. Note that, if an administrator executes commands locally on the master, the
maintenance process check will also be performed. It has been fixed in the following
installation packages: 3002.5, 3001.6 and 3000.8. Also, a patch is available for the
following versions: 3002.2, 3001.4, 3000.6, 2019.2.8, 2019.2.5, 2018.3.5, 2017.7.8,
2016.11.10, 2016.11.6, 2016.11.5, 2016.11.3, 2016.3.8, 2016.3.6, 2016.3.4, 2015.8.13 and
2015.8.10. This module has been tested successfully against versions 3001.4, 3002 and
3002.2 on Ubuntu 18.04.
https://packetstormsecurity.com/files/162058/saltstack_salt_wheel_async_rce.rb.txt
--
Sven - Security Vulnerability E-Notifier
vulnerabilities in Saltstack Salt's REST API to execute commands remotely on the master
as the root user. Every 60 seconds, salt-master service performs a maintenance process
check that reloads and executes all the grains on the master, including custom grain
modules in the Extension Module directory. So, this module simply creates a Python script
at this location and waits for it to be executed. The time interval is set to 60 seconds
by default but can be changed in the master configuration file with the loop_interval
option. Note that, if an administrator executes commands locally on the master, the
maintenance process check will also be performed. It has been fixed in the following
installation packages: 3002.5, 3001.6 and 3000.8. Also, a patch is available for the
following versions: 3002.2, 3001.4, 3000.6, 2019.2.8, 2019.2.5, 2018.3.5, 2017.7.8,
2016.11.10, 2016.11.6, 2016.11.5, 2016.11.3, 2016.3.8, 2016.3.6, 2016.3.4, 2015.8.13 and
2015.8.10. This module has been tested successfully against versions 3001.4, 3002 and
3002.2 on Ubuntu 18.04.
https://packetstormsecurity.com/files/162058/saltstack_salt_wheel_async_rce.rb.txt
--
Sven - Security Vulnerability E-Notifier
0 new messages