CVE-2020-25592
published 2020-11-06CVE-2020-25592: In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
57.45%
99.0th percentile
In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.
Affected
40 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| saltstack | salt | < 2015.8.10 | 2015.8.10 |
| saltstack | salt | — | — |
| saltstack | salt | >= 0 < 2015.8.10 | 2015.8.10 |
| saltstack | salt | >= 0 < 2015.8.13 | 2015.8.13 |
| saltstack | salt | >= 0 < 2015.8.8+ds-1ubuntu0.1+esm2 | 2015.8.8+ds-1ubuntu0.1+esm2 |
| saltstack | salt | >= 0 < 2017.7.4+dfsg1-1ubuntu18.04.2+esm1 | 2017.7.4+dfsg1-1ubuntu18.04.2+esm1 |
| saltstack | salt | >= 2015.8.11 < 2015.8.13 | 2015.8.13 |
| saltstack | salt | >= 2015.8.11 < 2015.8.13 | 2015.8.13 |
| saltstack | salt | >= 2016.11.0 < 2016.11.3 | 2016.11.3 |
| saltstack | salt | >= 2016.11.0 < 2016.11.3 | 2016.11.3 |
| saltstack | salt | >= 2016.11.0 < 2016.11.10 | 2016.11.10 |
| saltstack | salt | >= 2016.11.4 < 2016.11.6 | 2016.11.6 |
| saltstack | salt | >= 2016.11.4 < 2016.11.6 | 2016.11.6 |
| saltstack | salt | >= 2016.11.7 < 2016.11.10 | 2016.11.10 |
| saltstack | salt | >= 2016.11.7 < 2016.11.10 | 2016.11.10 |
| saltstack | salt | >= 2016.3.0 < 2016.3.4 | 2016.3.4 |
| saltstack | salt | >= 2016.3.0 < 2016.3.4 | 2016.3.4 |
| saltstack | salt | >= 2016.3.0 < 2016.3.8 | 2016.3.8 |
| saltstack | salt | >= 2016.3.5 < 2016.3.6 | 2016.3.6 |
| saltstack | salt | >= 2016.3.5 < 2016.3.6 | 2016.3.6 |
| saltstack | salt | >= 2016.3.7 < 2016.3.8 | 2016.3.8 |
| saltstack | salt | >= 2016.3.7 < 2016.3.8 | 2016.3.8 |
| saltstack | salt | >= 2017.5.0 < 2017.7.4 | 2017.7.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /run with client=ssh and parameters ssh_priv, ssh_user (or tgt in username@localhost format), ssh_port, ssh_remote_port_forwards, or ssh_options containing shell metacharacters, indicating command injection attempts. ↗
- →The Metasploit module exploits this vulnerability against Salt versions including 2019.2.3 and 3002 on Ubuntu 20.04.1; prioritize detection on these versions. ↗
- ·The rest-cherrypy netapi module is NOT enabled by default; the vulnerability is only exploitable if it has been explicitly configured in /etc/salt/master. ↗
- ·Salt versions through 3002 are affected; patched versions include 3000.3, 3000.4, 3001.1, 3001.2, and 3002 (with the security patch applied). ↗
- ·Red Hat Ceph Storage 2's salt package will not be fixed as RHSCON-2 has reached End Of Life. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Salt vulnerabilities
vendor_ubuntu·2024-08-08·CVSS 9.8
CVE-2020-16846 [CRITICAL] Salt vulnerabilities
Title: Salt vulnerabilities
Summary: Several security issues were fixed in Salt.
It was discovered that Salt incorrectly handled crafted web requests.
A remote attacker could possibly use this issue to run arbitrary
commands. (CVE-2020-16846)
It was discovered that Salt incorrectly created certificates with weak
file permissions. (CVE-2020-17490)
It was discovered that Salt incorrectly handled credential validation.
A remote attacker could possibly use this issue to bypass authentication.
(CVE-2020-25592)
It was discovered that Salt incorrectly handled crafted process names.
An attacker could possibly use this issue to run arbitrary commands.
This issue only affected Ubuntu 18.04 LTS. (CVE-2020-28243)
It was discovered that Salt incorrectly handled validation of SSL/TLS
certificates.
Red Hat
salt: salt-netapi improperly validates eauth credentials and tokens
vendor_redhat·2020-11-03·CVSS 9.8
CVE-2020-25592 [CRITICAL] CWE-287 salt: salt-netapi improperly validates eauth credentials and tokens
salt: salt-netapi improperly validates eauth credentials and tokens
In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.
A flaw was found in salt. Invalid eauth credentials and tokens are not handled correctly when calling Salt SSH via the salt-api which could allow an attacker to bypass authentication and gain access to restricted information or to possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Statement: Red Hat Ceph Storage 2 shipped salt for the usage of Red Hat Storage Console 2 (RHSCON-2), which required salt to administrate ceph nodes. RHSCON-2 has reached End Of Life, hence salt is n
OSV
salt vulnerabilities
osv·2024-08-08·CVSS 9.8
CVE-2020-16846 [CRITICAL] salt vulnerabilities
salt vulnerabilities
It was discovered that Salt incorrectly handled crafted web requests.
A remote attacker could possibly use this issue to run arbitrary
commands. (CVE-2020-16846)
It was discovered that Salt incorrectly created certificates with weak
file permissions. (CVE-2020-17490)
It was discovered that Salt incorrectly handled credential validation.
A remote attacker could possibly use this issue to bypass authentication.
(CVE-2020-25592)
It was discovered that Salt incorrectly handled crafted process names.
An attacker could possibly use this issue to run arbitrary commands.
This issue only affected Ubuntu 18.04 LTS. (CVE-2020-28243)
It was discovered that Salt incorrectly handled validation of SSL/TLS
certificates. A remote attacker could possibly use this issue to spoof
a t
OSV
SaltStack Salt Improper Validation of eauth credentials and tokens in salt-netapi
osv·2022-05-24
CVE-2020-25592 [CRITICAL] SaltStack Salt Improper Validation of eauth credentials and tokens in salt-netapi
SaltStack Salt Improper Validation of eauth credentials and tokens in salt-netapi
In SaltStack the salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.
GHSA
SaltStack Salt Improper Validation of eauth credentials and tokens in salt-netapi
ghsa·2022-05-24
CVE-2020-25592 [CRITICAL] CWE-20 SaltStack Salt Improper Validation of eauth credentials and tokens in salt-netapi
SaltStack Salt Improper Validation of eauth credentials and tokens in salt-netapi
In SaltStack the salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.
OSV
CVE-2020-25592: In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens
osv·2020-11-06
CVE-2020-25592 CVE-2020-25592: In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens
In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.
No detection rules found.
Trendmicro
Detailing SaltStack Salt Command Injection Vulnerabilities
blogs_trendmicro·2020-11-24
Detailing SaltStack Salt Command Injection Vulnerabilities
# Detailing SaltStack Salt Command Injection Vulnerabilities
This post details the SaltStack Salt command injection vulnerabilities.
By: Zero Day Initiative
2020/11/24
Read time: ( words)
Save to Folio
On November 03, SaltStack released a security patch for Salt to fix three critical vulnerabilities. Two of these fixes were in response to five bugs originally reported through the ZDI program. These bugs can be used to achieve unauthenticated command injection on a system running the affected Salt application. ZDI-CAN-11143 was reported to the ZDI program by an anonymous researcher, while the remaining bugs are variants of ZDI-CAN-11143 discovered by me. In this blog, we will look into the root cause of these bugs.
The Vulnerability
The vulnerabilities affect the rest-cherrypy netapi
Trendmicro
Detailing SaltStack Salt Command Injection Vulnerabilities
blogs_trendmicro·2020-11-24
Detailing SaltStack Salt Command Injection Vulnerabilities
## Detailing SaltStack Salt Command Injection Vulnerabilities
This post details the SaltStack Salt command injection vulnerabilities.
By: Zero Day Initiative Nov 24, 2020 Read time: ( words)
Save to Folio
On November 03, SaltStack released a security patch for Salt to fix three critical vulnerabilities. Two of these fixes were in response to five bugs originally reported through the ZDI program. These bugs can be used to achieve unauthenticated command injection on a system running the affected Salt application. ZDI-CAN-11143 was reported to the ZDI program by an anonymous researcher, while the remaining bugs are variants of ZDI-CAN-11143 discovered by me. In this blog, we will look into the root cause of these bugs.
The Vulnerability
The vulnerabilities affect the rest-cherrypy neta
Trendmicro
Detailing SaltStack Salt Command Injection Vulnerabilities
blogs_trendmicro·2020-11-24
Detailing SaltStack Salt Command Injection Vulnerabilities
## Detailing SaltStack Salt Command Injection Vulnerabilities
This post details the SaltStack Salt command injection vulnerabilities.
By: Zero Day Initiative 2020/11/24 Read time: ( words)
Save to Folio
On November 03, SaltStack released a security patch for Salt to fix three critical vulnerabilities. Two of these fixes were in response to five bugs originally reported through the ZDI program. These bugs can be used to achieve unauthenticated command injection on a system running the affected Salt application. ZDI-CAN-11143 was reported to the ZDI program by an anonymous researcher, while the remaining bugs are variants of ZDI-CAN-11143 discovered by me. In this blog, we will look into the root cause of these bugs.
The Vulnerability
The vulnerabilities affect the rest-cherrypy netapi
Trendmicro
This Week in Security News: US Cyber Command Exposes New Russian Malware and REvil Ransomware Gang 'Acquires' KPOT Malware
blogs_trendmicro·2020-11-06
This Week in Security News: US Cyber Command Exposes New Russian Malware and REvil Ransomware Gang 'Acquires' KPOT Malware
# This Week in Security News: US Cyber Command Exposes New Russian Malware and REvil Ransomware Gang 'Acquires' KPOT Malware
Welcome to our weekly roundup, where we share what you need to know about cybersecurity news and events that happened over the past few days.
By: Jon Clay
2020/11/06
Read time: ( words)
Save to Folio
This week, learn about eight new malware samples that were developed and deployed by Russian hackers in recent attacks. Also, read about how the operators of the REvil ransomware strain have "acquired" the source code of the KPOT trojan in an auction held on a hacker forum last month.
Read on:
Beware a New Google Drive Scam Landing in Inboxes
Scammers just found a new phishing lure to play with: Google Drive. A flaw in Drive is being exploited to send out seeming
Tenable
CVE-2020-16846, CVE-2020-25592: Critical Vulnerabilities in Salt Framework Disclosed
blogs_tenable·2020-11-04·CVSS 9.8
[CRITICAL] CVE-2020-16846, CVE-2020-25592: Critical Vulnerabilities in Salt Framework Disclosed
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.htmlhttp://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.htmlhttps://docs.saltstack.com/en/latest/topics/releases/index.htmlhttps://lists.debian.org/debian-lts-announce/2020/12/msg00007.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/https://security.gentoo.org/glsa/202011-13https://www.debian.org/security/2021/dsa-4837https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.htmlhttp://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.htmlhttps://docs.saltstack.com/en/latest/topics/releases/index.htmlhttps://lists.debian.org/debian-lts-announce/2020/12/msg00007.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/https://security.gentoo.org/glsa/202011-13https://www.debian.org/security/2021/dsa-4837https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/
2020-11-06
Published