CVE-2016-9639
published 2017-02-07CVE-2016-9639: Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.
PriorityP344critical9.1CVSS 3.0
AVNACLPRNUINSUCHIHAN
EPSS
2.58%
83.3th percentile
Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| saltstack | salt | <= 2015.8.10 | — |
| saltstack | salt | >= 0 < 2015.8.11 | 2015.8.11 |
CVSS provenance
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Salt allows deleted minions to read or write to minions with the same id
ghsa·2022-05-17
CVE-2016-9639 [CRITICAL] CWE-284 Salt allows deleted minions to read or write to minions with the same id
Salt allows deleted minions to read or write to minions with the same id
Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.
OSV
Salt allows deleted minions to read or write to minions with the same id
osv·2022-05-17
CVE-2016-9639 [CRITICAL] Salt allows deleted minions to read or write to minions with the same id
Salt allows deleted minions to read or write to minions with the same id
Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.
OSV
CVE-2016-9639: Salt before 2015
osv·2017-02-07
CVE-2016-9639 CVE-2016-9639: Salt before 2015
Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.
Red Hat
salt: Vulnerable caching provides access to private pillar data
vendor_redhat·2016-11-25·CVSS 9.1
CVE-2016-9639 [CRITICAL] salt: Vulnerable caching provides access to private pillar data
salt: Vulnerable caching provides access to private pillar data
Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.
Package: salt (Red Hat Ceph Storage 1.3) - Will not fix
Package: salt (Red Hat Ceph Storage 2) - Will not fix
Package: salt (Red Hat Storage Console 2) - Will not fix
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-9639 salt: Vulnerable caching provides access to private pillar data
bugzilla·2016-11-28·CVSS 9.1
CVE-2016-9639 [CRITICAL] CVE-2016-9639 salt: Vulnerable caching provides access to private pillar data
CVE-2016-9639 salt: Vulnerable caching provides access to private pillar data
Salt minions (clients), come with a descriptive id and a crypto key
each. Attaching a minion to a master (server) boils down to "accepting
its key" with a command on the master.
Now it can happen that after one minion is fully accepted, a second one
presents itself to the master with the same id but different key. In
that case, Salt will figure out that the key is different and reject the
second minion, assuming it is an impostor.
Due to Salt's caching mechanisms, I found out that under certain
circumstances Salt commands can reach, read data from and write data to,
both minions ("original" and "impostor"). That includes pillar data,
which is supposed to be secret to a certain minion.
References:
http://secl
Bugzilla
CVE-2016-9639 salt: Vulnerable caching provides access to private pillar data [epel-all]
bugzilla·2016-11-28·CVSS 9.1
CVE-2016-9639 [CRITICAL] CVE-2016-9639 salt: Vulnerable caching provides access to private pillar data [epel-all]
CVE-2016-9639 salt: Vulnerable caching provides access to private pillar data [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple suppor
http://www.openwall.com/lists/oss-security/2016/11/25/2http://www.openwall.com/lists/oss-security/2016/11/25/3http://www.securityfocus.com/bid/94553https://docs.saltstack.com/en/2015.8/ref/configuration/master.html#rotate-aes-keyhttp://www.openwall.com/lists/oss-security/2016/11/25/2http://www.openwall.com/lists/oss-security/2016/11/25/3http://www.securityfocus.com/bid/94553https://docs.saltstack.com/en/2015.8/ref/configuration/master.html#rotate-aes-key
2017-02-07
Published