SB2023110714 - Gentoo update for Salt
Published: November 7, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 17 vulnerabilities.
1) Security restrictions bypass (CVE-ID: CVE-2020-28243)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation. A remote user can create files in any non-blacklisted directory via a command injection in a process name.
2) Improper Certificate Validation (CVE-ID: CVE-2020-28972)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to absent validation of SSL/TLS certificates. A remote attacker can perform MitM attack.
3) Improper Certificate Validation (CVE-ID: CVE-2020-35662)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to improper TLS certificate validation. A remote attacker can force the application to accept an untrusted certificate and perform MitM attack.
4) Improper Authentication (CVE-ID: CVE-2021-3144)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests for expired eauth tokens. A remote attacker can re-use one more time expired eauth tokens to run command against the salt master or minions.
5) Command Injection (CVE-ID: CVE-2021-3148)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary commands within the application.
The vulnerability exists due to improper input validation, related to handling single and double quotes, within the salt.utils.thin.gen_thin() function in salt/utils/thin.py. A remote user can send a specially crafted HTTP request to the SaltAPI and execute arbitrary commands.
6) OS Command Injection (CVE-ID: CVE-2021-3197)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation within the salt-api ssh client. A remote attacker can include the ProxyCommand in an argument, or via ssh_options provided in an API request and execute arbitrary commands on the system.
7) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2021-21996)
CWE-ID: -
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the way Salt download URL. A local user with control over the file source URL and its source_hash URL can gain full file system access as root on a salt minion.
8) Improper access control (CVE-ID: CVE-2021-25281)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. The salt-api does not honor eauth credentials for the wheel_async client. A remote attacker can remotely run any wheel modules on the master.
9) Path traversal (CVE-ID: CVE-2021-25282)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Green
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within the salt.wheel.pillar_roots.write method. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
10) Code Injection (CVE-ID: CVE-2021-25283)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a user attacker to perform server-side template injection attacks.
The vulnerability exists due to improper input validation. A remote user can send a specially crafted request and execute arbitrary code on the target system via the SaltAPI fix directory traversal in wheel.pillar_roots.write (described in #VU50980).
11) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2021-25284)
CWE-ID: CWE-532 - Information Exposure Through Log Files
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to salt.modules.cmdmod stores sensitive information, such as passwords into the /var/log/salt/minion file. A local user can read the log files and gain access to sensitive data.
12) Command Injection (CVE-ID: CVE-2021-31607)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to command injection in the snapper module. A local user can escalate privileges on a minion.
13) Cryptographic issues (CVE-ID: CVE-2022-22934)
CWE-ID: CWE-310 - Cryptographic Issues
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to manipulate data.
The vulnerability exists due to Salt Masters do not sign pillar data with the minion’s public key. A remote attacker can manipulate arbitrary pillar data.
14) Insufficient verification of data authenticity (CVE-ID: CVE-2022-22935)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper verification of data authenticity. A remote attacker with ability to perform MitM attack can impersonate a master and force a minion process to stop.
15) Authentication Bypass by Capture-replay (CVE-ID: CVE-2022-22936)
CWE-ID: CWE-294 - Authentication Bypass by Capture-replay
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to improper authentication in jobs. A remote attacker can perform a replay attack and force minions to run old jobs.
16) Incorrect permission assignment for critical resource (CVE-ID: CVE-2022-22941)
CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to compromise third-party minions.
The vulnerability exists due to improper permissions checks. A remote user can target any minion connected to the Syndic when configured as a Master-of-Masters, bypass publisher_acl and execute on any configured minion.
17) Improper Authentication (CVE-ID: CVE-2022-22967)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to a missing check for PAM_ACCT_MGM return value. A remote user whose account is locked can continue to run Salt commands.
Remediation
Install update from vendor's website.