Salt is a powerful Python-based automation and remote execution engine which allows users to issue commands to multiple machines directly.
But not without the inevitable security issues.
F-Secure, the eminent data security research institute, said an initial scan revealed more than 6,000 vulnerable Salt instances exposed to the public internet.
The latest being two severe security flaws discovered in the open-source SaltStack Salt configuration framework that could allow an adversary to execute arbitrary code on remote servers deployed in data centres and cloud environments.
Built as a utility to monitor and update the state of servers, Salt employs a master-slave architecture that automates the process of pushing out configuration and software updates from a central repository using a "master" node that deploys the changes to a target group of "minions" (e.g., servers) en masse.
The communication between a master and minion occurs over the ZeroMQ message bus.
According to F-Secure researchers, the pair of flaws stays within the tool's ZeroMQ protocol.
"The vulnerabilities described in this advisory allow an attacker who can connect to the 'request server' port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the 'master' server filesystem and steal the secret key used to authenticate to the master as root," the researchers said.
"The vulnerabilities, allocated CVE IDs CVE-2020-11651 and CVE-2020-11652, are of two different classes," the cybersecurity security firm further said.
"One being authentication bypass where functionality was unintentionally exposed to unauthenticated network clients, the other being directory traversal where untrusted input (i.e., parameters in network requests) was not sanitized correctly allowing unconstrained access to the entire filesystem of the master server."
Both the flaws are susceptible of severe exploitation in the wild for which SaltStackis requesting its users to follow the best practices to secure the Salt environment.
SaltStack has just released a patch (version 3000.2) addressing the issues, rated with CVSS score 10.
It's highly recommended that Salt users update the software packages to the latest version.
"Adding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider Internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks," the researchers said.
So all the data centres of the world 'worth its salt' it's time for you to do the needful.
ISOAH treats all your data insecurities with its adaptive anti hacking audits.
Read more to know of other hacking stories: https://www.isoah.com/What-if-you-lose-your-phone.php