Security Vulnerability: Several CVEs in SALT

This document (000019887) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11
 

Situation

SaltStack announced a Security Release fixing several critical issues

The issues rank from privilege escalation, missing SSL/TLS certificate validation, directory traversal over to possible command injection.

Resolution

SUSE has released fixes and updates for all the supported products.

Cause

List of CVEs:

CVE-2020-28243  A privilege escalation is possible on a SaltStack minion when an unprivileged user is able to create files in any non-blacklisted directory via a command injection in a processes' name. Simply ending a file with "(deleted)" and keeping a file handler open to it is enough to trigger the exploit whenever a restart check is triggered from a SaltStack master.

  • CVE-2020-28972 In SaltStack Salt v2015.8.0 through v3002.2, authentication to vCenter, vSphere, and ESXi servers does not always validate the SSL/TLS certificate.
  • CVE-2021-3148 An issue was discovered in SaltStack Salt v2016.3.0 through v3002.2. Sending crafted web requests to the Salt API, when using the SSH client, can result in command injection. 
  • CVE-2021-25281 The Salt-API does not honor eAuth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
  • CVE-2021-25282 The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.
  • CVE-2021-25283 The jinja render does not protect against server-side template injection attacks.
  • CVE-2021-3144 Token can be used once after expiration eauth tokens can be used once after expiration.
  • CVE-2021-25284 Salt.modules.cmdmod can log credential to the “error” log level
  • CVE-2021-3197 The Salt-API's SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.
  • CVE-2020-35662 In SaltStack Salt v2015.8.0 through v3002.2, when authenticating to services using certain modules (asam runner, qingcloud, splunk returner, panos proxy, cimc proxy, zenoss module, esxi module, vsphere module, glassfish module, bigip module, and keystone module), the SSL certificate is not always validated.
 

 

Status

Security Alert

Additional Information

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000019887
  • Creation Date: 26-Feb-2021
  • Modified Date:26-Feb-2021
    • SUSE Linux Enterprise Server
    • SUSE Manager for Retail
    • SUSE Manager Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center