CVE-2020-11651 PoC — SaltStack Salt 安全漏洞

Source

Associated Vulnerability

Description

Salt security backports for CVE-2020-11651 & CVE-2020-11652

Readme

Official patches for previous versions can be requested at: https://www.saltstack.com/lp/request-patch-april-2020/

⚠ Patches here are custom, and may differ from official ones ⚠

# Backported security patches for unsupported salt versions

[![Build Status](https://travis-ci.org/rossengeorgiev/salt-security-backports.svg?branch=master)](https://travis-ci.org/rossengeorgiev/salt-security-backports)

Patches in this repo address the following CVEs:

* CVE-2020-11651 & CVE-2020-11652 - https://labs.f-secure.com/advisories/saltstack-authorization-bypass

Additionally include the following bugfixes:

* fix typo `_minion_runner` -> `minion_runner`. See: https://docs.saltstack.com/en/latest/topics/releases/3000.2.html#known-issue
* fix type `_find_file_and_stat` -> `_find_hash_and_stat`. See https://github.com/rossengeorgiev/salt-security-backports/issues/1
* removal of `run_func` from whitelist
* missing `import salt.utils.verify`

Above fixed are included in latest release of SaltStack, specifically `v2019.2.5` and `v3000.3`.

# Check if your salt-master is vulnerable

Check script needs to be ran locally on your salt-master as `root`

```bash
python salt-cve-check.py
```

Example output for Salt 2017.7.8:

```bash
[+] Salt version: 2017.7.8
[ ] This version of salt is vulnerable! Check results below
[+] Checking salt-master (127.0.0.1:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... YES
[+] Checking if vulnerable to CVE-2020-11652 (read_token)... YES
[+] Checking if vulnerable to CVE-2020-11652 (read)... YES
[+] Checking if vulnerable to CVE-2020-11652 (write1)... YES
[+] Checking if vulnerable to CVE-2020-11652 (write2)... YES
```

# Applying the patches

```bash
# locate the salt package directory (use python3 if necessary)

python -c "import imp; print(imp.find_module('salt')[1])"

# in my case: /usr/lib/python2.7/dist-packages/salt
# apply patches
# (adding -b flag will backup file before modifications at same path with .orig suffix)
# (patch can be reversed running the same command with -R flag)

patch -p2 -d /usr/lib/python2.7/dist-packages/salt < 2017.7.8_CVE-2020-11651.patch
patch -p2 -d /usr/lib/python2.7/dist-packages/salt < 2017.7.8_CVE-2020-11652.patch

# restart salt-master

systemctl restart salt-master
# or
service salt-master restart
```

Rerun the check script:

```bash
user@salt # python salt-cve-check.py
[+] Salt version: 2017.7.8
[ ] This version of salt is vulnerable! Check results below
[+] Checking salt-master (127.0.0.1:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... NO
[+] Checking if vulnerable to CVE-2020-11652 (read_token)... NO
[+] Checking if vulnerable to CVE-2020-11652 (read)... NO
[+] Checking if vulnerable to CVE-2020-11652 (write1)... NO
[+] Checking if vulnerable to CVE-2020-11652 (write2)... NO
```

File Snapshot

 [4.0K]  /data/pocs/3574c861233576d833bb5da089083d65840a45c2
├── [3.8K]  2016.11.10_CVE-2020-11651.patch
├── [4.9K]  2016.11.10_CVE-2020-11652.patch
├── [3.8K]  2016.11.8_CVE-2020-11651.patch
├── [4.9K]  2016.11.8_CVE-2020-11652.patch
├── [3.8K]  2017.7.8_CVE-2020-11651.patch
├── [4.9K]  2017.7.8_CVE-2020-11652.patch
├── [3.6K]  2018.3.5_CVE-2020-11651.patch
├── [5.1K]  2018.3.5_CVE-2020-11652.patch
├── [1.2K]  2019.2.4_bugfixes.patch
├── [3.5K]  3000.1_CVE-2020-11651.patch
├── [5.5K]  3000.1_CVE-2020-11652.patch
├── [1.2K]  3000.2_bugfixes.patch
├── [ 752]  Makefile
├── [2.8K]  README.md
├── [5.4K]  salt-cve-check.py
└── [ 514]  Vagrantfile

0 directories, 16 files

Remarks