News

SaltStack discloses critical bugs on Election Day

SaltStack has publicly disclosed 3 vulnerabilities that had been impacting Salt instances for some time. Two of these have been rated as High or Critical.

One of the vulnerabilities is a Shell Injection flaw (CVE-2020-16846) which allows an unauthenticated actor to conduct Remote Code Execution (RCE) attacks on the unpatched Salt instances.

The other two vulnerabilities are an authentication bypass flaw (CVE-2020-25592), and a permissions issue impacting the SSH key files (CVE-2020-17490).

Shortly after disclosure, reports emerged on Twitter, with some users highlighting the “pretty severe” nature of vulnerabilities.

Reports emerged on Twitter with some users calling the vulns. “pretty severe!”

While a heads up was given by SaltStack folks on October 30th, the timing of full disclosure is interesting in how it coincides with the U.S. Election Day, when much distraction is expected, making it an ideal time to deliver unsavory news.

As I had first reported on BleepingComputer, the fix for the shell injection vulnerability CVE-2020-16846 appears to have existed in Salt’s public GitHub repository, since at least August 18th, 2020.

Moreover, some of the Zero-Day Initiative (ZDI) bugs mentioned in the fixes show dates of original vulnerability reports dating back to June, 2020.

The reason behind gaps between different events isn’t entirely clear.

Original vulnerability reports for some CVEs were filed in June via Zero-Day Initiative (and have ZDI identifiers).

GitHub fixes (publicly visible) were made to Salt starting August, but full disclosure and release of patched versions only took place on November 3rd, 2020.

Users should follow the official SaltStack advisory, released November 3rd, for upgrade advice and patches.

Patches for older versions have also been provided via GitLab.


Background photo licensed under CC BY-NC.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

10 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

11 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

11 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

11 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.