Diagnosing Salt Master RCE Vulnerability With VMware Secure State

Author:
Sufian Dar Senior Staff Engineer
Published: May 11, 2020
2 Min Read

Salt is a popular framework for configuration management and remote orchestration for any infrastructure or application stack. SaltStack, the company that created Salt, identified a critical security vulnerability in Salt last week, that allows full remote code execution as root on servers managed by the framework. The vulnerability is easily exploitable if a Salt Master is exposed to the open internet. This article describes the vulnerability and corresponding CVEs in detail and software patches that the company has released to mitigate the vulnerability.  

According to F-Secure researchers, a preliminary scan revealed more than 6,000 potentially vulnerable Salt instances exposed to the public internet, due to its popularity in cloud environments like AWS and GCP. The research report also highlights that in addition to patching Salt deployments, customers should restrict access to Salt master ports 4505 and 4506 (on default configurations), or at least block the hosts off from the open internet. 

For organizations using public cloud providers, investigating public port access of Salt Servers can become a tedious task, especially for larger organizations with cloud resources spread across multiple accounts. To speed up this process, VMware Secure State provides an intelligent security platform with deep insights into an organization’s cloud resources and configuration. 

Once an organization is on-boarded, VMware Secure State kicks off the inventory process that involves discovering cloud resources from customer’s cloud accounts and storing them in the service backend. The inventory process results in generating a interconnected security model of discovered cloud resources. This data layer is foundational to VMware Secure State and can be visualized and queried in the “Explore” tab of the Service.  

The Explore view that visualizes the resource graph can be utilized by customers to quickly answer complex questions such as: Find all EC2 instances that are connected to a security group with open access to Ports 4505 and 4506 (Figure A). The query would look like this:  

code.png

vss-explorer.png

VMware Secure State also exposes public APIs that can be leveraged to query and aggregate resource config data for the customer organization. Using these APIs customers can ask questions to get a breakdown by cloud account of number of security groups with open access to Ports 4505 and 4506. 

code2.png

To talk to a VMware Secure State expert and learn how we can help you detect cloud security vulnerabilities, visit https://go.cloudhealthtech.com/vmware-secure-state 

Image
headshot
Sufian Dar, Senior Staff Engineer

Sufian Dar is a member of the CloudHealth Engineering team and focuses on enabling customers to be successful in the cloud by providing insights into cloud management best practices, building a mature cloud strategy, and ensuring customers are utilizing the CloudPlatform in the best way possible.

We Think You Might Like These: