Hackers exploiting cloud servers using SaltStack Salt vulnerabilities

A few days ago, it was disclosed that two critical vulnerabilities that lied within the SaltStack configuration framework were hacked. It was further identified that Salt master versions 2019.2.3 and 3000.1 and earlier were affected by it. Also, these Slatstack vulnerabilities exposed approximately 6000 Salt masters to the internet. This exploitation was so critical that several organizations and open source projects had to shut down all their services immediately. To get a better picture of what had actually happened, you need to first understand what SaltStack is.

What is SaltStack?

IT companies require configuration and automation of data for about millions of servers. These configuration and automation take a lot of time and the data is more prone to errors if done manually. And this calls for the necessity of a configuration management tool that allows these tasks to be done with faster speed and a higher success rate. SaltStack is one such open-source Python-based framework that is used to automate tasks, data collection, and configuration for cloud servers and servers in other private data centers.

The important part about SlatStack is that it is quite easy to learn and can efficiently manage simple as well as complex data with minimal execution time and at a larger scale.

SaltStack functions with the help of a master which controls one or more minions. The Master issues a series of commands to these Minions and they after executing them, return the resulting data back to the Master and the communication carries on. To encrypt and decrypt messages, the Salt master and the Salt Minions exchange a public key and an AES key and also ensure secure communication between them.

SaltStack Vulnerabilities

On April 30, the researchers at F secure labs publicly disclosed two vulnerabilities. These vulnerabilities lied within SaltStack which were CVE-2020-11651 and CVE-2020-11652. They warned the organizations that were using SaltStack how these vulnerabilities could allow unauthorized users to escape the authentication and authorization controls by connecting to the “request server” port and gain access to the infrastructure of the servers. F secure principal consultant Olle Segerdahi warned Salt users to patch their systems by the 1st of May, or else they would be at great risk to be hacked.

And as predicted, over the weekend security experts reported on twitter that they could see exploitation attempts for the two vulnerabilities. Even large organizations started confirming attacks on their systems and had to eventually shut down their services for a period of time.

Who affected with SlatStack Vulnerabilities?

It was reported that the popular blogging site Ghost. It has Apple, Nasa, DuckDuckGo, and other huge companies as its customers were also targeted on 3rd May. Wherein the attackers were able to gain access to their system and attempted to crypto mine by exploiting the flaws in Salt. But this not only allows the hackers to gain access to the system but also does potential damage to the system. The hack attack affected both Ghost Pro sites and Ghost.org billing, although no credit card information or credentials of the customers were known to be affected.

A similar attack was announced by the vice president of the certificate authority DigiCert later that their Log 2’s key which was used to sign SCT was compromised through the Salt vulnerability. The hackers used these vulnerabilities to attack a salt-master of their system which affected their transparency logs. It is said that the attackers must have wanted to deploy cryptocurrency mining malware on their system and steal sensitive data but they couldn’t succeed.

Open-source Android mobile platform LineageOS also on 2nd May reported the detection of an intrusion in their system through the Salt vulnerabilities to gain access to their infrastructure with cryptocurrency mining software and had to shut down their services immediately. Since the attack was detected on time no harm to the system was identified. 

Conclusion

Although the salt vulnerabilities gave crypto miners an access to the system of thousands of data centers and steal confidential data, no such damage occurred due to early detection. But after this incident, if you are using earlier versions of, it is strongly recommended to upgrade to the latest supported versions of Salt with upgraded CVE and if you are unable to upgrade to newer versions. it is advised to patch your system.