SaltStack vulnerabilities in Cisco Modeling Labs and Virtual Internet Routing Lab



Published: 2020-05-28
Risk Critical
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2020-11651
CVE-2020-11652
CWE-ID CWE-287
CWE-22
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerability #2 is being exploited in the wild.
Vulnerable software
Subscribe 		Cisco Virtual Internet Routing Lab Personal Edition
Server applications / Virtualization software

Cisco Modeling Labs Corporate Edition
Server applications / Virtualization software

Vendor Cisco Systems, Inc

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

Described vulnerabilities are known to be exploited in the wild. According to Cisco, the following virl servers were compromised on May 7:

  • us-1.virl.info
  • us-2.virl.info
  • us-3.virl.info
  • us-4.virl.info
  • vsm-us-1.virl.info
  • vsm-us-2.virl.info

It is recommended to install patches ASAP or re-image deployed virtual machines.

1) Improper Authentication

EUVDB-ID: #VU27494

Risk: Critical

CVSSv3.1:

CVE-ID: CVE-2020-11651

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the salt-master process "ClearFuncs" class does not properly validate method calls. A remote non-authenticated attacker can bypass authentication process and gain access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minion as root.

Note: this vulnerability is being actively exploited in the wild.

Mitigation

Update the affected releases to a patched release.

Vulnerable software versions

Cisco Virtual Internet Routing Lab Personal Edition: 1.2 - 1.6

Cisco Modeling Labs Corporate Edition: 1.2 - 1.6

CPE2.3 External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Path traversal

EUVDB-ID: #VU27495

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-11652

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the salt-master process ClearFuncs class. A remote authenticated attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Mitigation

Update the affected releases to a patched release.

Vulnerable software versions

Cisco Virtual Internet Routing Lab Personal Edition: 1.2 - 1.6

Cisco Modeling Labs Corporate Edition: 1.2 - 1.6

CPE2.3 External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###