Attacker Value

Very High

CVE-2020-25592 — SaltStack Authentication Bypass and Salt SSH Command Execution

Attacker Value

Very High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2020-25592 — SaltStack Authentication Bypass and Salt SSH Command Execution

Disclosure Date: November 06, 2020 •

CVE-2020-25592 CVSS v3 Base Score: 9.8

Exploited in the Wild

Reported by gwillcox-r7
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Metasploit Module

exploit/linux/http/saltstack_salt_api_cmd_exec

Description

In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.

Add Assessment

wvu-r7 (437)

November 10, 2020 11:51pm UTC (3 years ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Common in enterprise Easy to weaponize Gives privileged access Unauthenticated

Technical Analysis

Please see the Rapid7 analysis.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

debian,
saltstack

Products

debian linux 10.0,
debian linux 9.0,
salt,
salt 3001

Metasploit Modules

exploit/linux/http/saltstack_salt_api_cmd_exec (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/saltstack_salt_api_cmd_exec.rb)

Exploited in the Wild

Reported by:

gwillcox-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: June 14, 2022 9:35pm UTC (1 year ago)

References

Rapid7

November 10, 2020 1:33am UTC (3 years ago)• Last updated November 11, 2020 5:00pm UTC (3 years ago)

Technical Analysis

Description

On Tuesday, November 3, VMware’s SaltStack released details on three new CVEs. The two more severe vulnerabilities, CVE-2020-16846 and CVE-2020-25592, affect SaltStack’s Salt API and are the focus of this analysis. CVE-2020-16846 allows an unauthenticated attacker with network access to use shell injections to run code on the Salt-API using the SSH client. CVE-2020-25592 allows an attacker to bypass authentication and make calls to Salt SSH by supplying any value for “eauth” or “token”. A successful attack using the two vulnerabilities can result in unauthenticated remote root access on a target system.

Note: This analysis is the same as the analysis posted to CVE-2020-16846.

Affected products

A patch is available for the following affected Salt versions:

3002
3001.1, 3001.2
3000.3, 3000.4
2019.2.5, 2019.2.6
2018.3.5
2017.7.4, 2017.7.8
2016.11.3, 2016.11.6, 2016.11.10
2016.3.4, 2016.3.6, 2016.3.8
2015.8.10, 2015.8.13

Rapid7 analysis

None of the CVEs have a severity rating associated with them, but it hardly matters much what the eventual severity ratings turn out to be. Pre-authenticated remote root is the gold-medal standard for attackers, and it took Rapid7 researchers a mere 15 minutes and a single HTTP request to get there. CVE-2020-11651, another Salt vulnerability from April 2020, was exploited quickly by threat actors. We expect CVEs 2020-16846 and 2020-25592 to follow that same path.

Guidance

SaltStack customers should patch as quickly as possible, prioritizing these vulnerabilities above other tasks—if at all possible, please don’t wait for your typical patch cycle to apply SaltStack security updates. There are no known mitigations or workarounds as of November 9, 2020.

Very High