Improper input validation in Salt

#VU12736 Improper input validation in Salt

Published: 2018-05-15

Vulnerability identifier: #VU12736

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-14696

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Salt
Web applications / Remote management & hosting panels

Vendor: SaltStack

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to improper input validation. A remote attacker can submit a specially crafted authentication request and cause the service to crash.

Mitigation
Update to versions 2016.3.8, 2016.11.8 or 2017.7.2.

Vulnerable software versions

Salt: 2016.3.0 - 2016.11.7, 2017.7.0 - 2017.7.1

External links
http://docs.saltstack.com/en/latest/topics/releases/2017.7.2.html
http://docs.saltstack.com/en/latest/topics/releases/2016.3.8.html
http://docs.saltstack.com/en/latest/topics/releases/2016.11.8.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Arch Linux update for salt

Multiple vulnerabilities in SaltStack