'Salt' is an approach to infrastructure management, built on a dynamic communication bus.
Designed to allow users to issue commands to multiple machines directly, the Python-based automation and remote execution engine can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and more.
Salt is the product, and SaltStack is the company.
And here, it experienced issues that affect thousands of data centers around the world.
As discovered by researchers from F-Secure, SaltStack has two severe security flaws that could allow hackers to execute arbitrary code on remote servers deployed in data centers and cloud environments.
The researchers discovered the flaws after digging into SaltStack's open-sourced Salt configuration framework.
On one of its advisories page, the F-Secure cybersecurity firm said that:
The vulnerabilities here allow attackers who can connect to the "request server" port, to bypass all authentication and authorization controls, and publish arbitrary control messages, read and write files anywhere on the "master" server filesystem.
This allows the attackers to steal the secret key used to authenticate to the master as root.
Salt is built as an utility to monitor and update the state of its users' servers.
By employing a master-slave architecture that automates the process of pushing out configuration and software updates from a central repository using a "master" node, Salt can deploy changes to a target group of minions (e.g., servers) en masse.
The communication between a master and minion occurs over the ZeroMQ message bus.
ZeroMQ is a high-performance asynchronous messaging library, aimed at use in distributed or concurrent applications. Due to its ability, it can provide a messaging queue, where systems can run without a dedicated message broker.
Additionally, the master also uses two ZeroMQ channels: a "request server" to which minions report the execution results and a "publish server", in which the master can publish messages its minions can connect and subscribe to.
According to F-Secure researchers, the two flaws reside within this tool's ZeroMQ protocol.
"The vulnerabilities described in this advisory allow an attacker who can connect to the 'request server' port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the 'master' server filesystem and steal the secret key used to authenticate to the master as root," the researchers said.
"The impact is full remote command execution as root on both the master and all minions that connect to it."
In other words, an attacker can exploit the flaws to call administrative commands on the master server as well as queue messages directly on the master publish server, thereby allowing the salt minions to run malicious commands.
The vulnerabilities were identified by F-Secure researchers earlier this March 2020 and disclosed a day after SaltStack released a patch (version 3000.2) to address the issues.
The F-Secure researchers warned that the flaws could be exploited in the wild.
They said that initial scans revealed more than 6,000 vulnerable Salt instances exposed to the public internet.
"Adding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider Internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks," the researchers said.
"We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours," F-Secure researchers warned.
And that warning came too late as there are some who haven't update.
Days after the cybersecurity researchers sounded the alarm over the two critical vulnerabilities, a hacking campaign has already begun exploiting the flaws to hack the servers of LineageOS, Ghost, and DigiCert.
With F-Secure's alert revealing thousands of Salt-vulnerable servers that around the world that can be exploited via the two vulnerabilities if left unpatched, companies are advised to update the Salt software packages to the latest version to resolve the flaws.
SaltStack also urges users to follow the best practices to secure the Salt environment.