SaltStack has publicly disclosed 3 vulnerabilities that had been impacting Salt instances for some time. Two of these have been rated as High or Critical.
One of the vulnerabilities is a Shell Injection flaw (CVE-2020-16846) which allows an unauthenticated actor to conduct Remote Code Execution (RCE) attacks on the unpatched Salt instances.
The other two vulnerabilities are an authentication bypass flaw (CVE-2020-25592), and a permissions issue impacting the SSH key files (CVE-2020-17490).
Shortly after disclosure, reports emerged on Twitter, with some users highlighting the “pretty severe” nature of vulnerabilities.
While a heads up was given by SaltStack folks on October 30th, the timing of full disclosure is interesting in how it coincides with the U.S. Election Day, when much distraction is expected, making it an ideal time to deliver unsavory news.
As I had first reported on BleepingComputer, the fix for the shell injection vulnerability CVE-2020-16846 appears to have existed in Salt’s public GitHub repository, since at least August 18th, 2020.
Moreover, some of the Zero-Day Initiative (ZDI) bugs mentioned in the fixes show dates of original vulnerability reports dating back to June, 2020.
The reason behind gaps between different events isn’t entirely clear.
Original vulnerability reports for some CVEs were filed in June via Zero-Day Initiative (and have ZDI identifiers).
GitHub fixes (publicly visible) were made to Salt starting August, but full disclosure and release of patched versions only took place on November 3rd, 2020.
Users should follow the official SaltStack advisory, released November 3rd, for upgrade advice and patches.
Patches for older versions have also been provided via GitLab.