Debian Bug report logs -
#959684
salt: CVE-2020-11651 and CVE-2020-11652
Reported by: Guilhem Moulin <guilhem@debian.org>
Date: Sun, 3 May 2020 23:39:01 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in versions salt/2016.11.2+ds-1+deb9u2, salt/2014.1.13+ds-3, salt/2018.3.4+dfsg1-6
Fixed in version salt/3000.2+dfsg1-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>:
Bug#959684; Package src:salt.
(Sun, 03 May 2020 23:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Guilhem Moulin <guilhem@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>.
(Sun, 03 May 2020 23:39:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: salt
Version: 2018.3.4+dfsg1-6
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 2018.3.4+dfsg1-6
Control: found -1 2016.11.2+ds-1+deb9u2
Control: found -1 2014.1.13+ds-3
Control: notfound -1 3000.2+dfsg1-1
Dear Maintainer,
These CVEs were assigned last Wednesday but I'm filing this as it seems
they're not tracked in the BTS yet.
CVE-2020-11651
--------------
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000
before 3000.2. The salt-master process ClearFuncs class does not
properly validate method calls. This allows a remote user to access
some methods without authentication. These methods can be used to
retrieve user tokens from the salt master and/or _run arbitrary
commands on salt minions_. [emphasis mine]
CVE-2020-11652
--------------
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000
before 3000.2. The salt-master process ClearFuncs class allows access
to some methods that improperly sanitize paths. These methods allow
arbitrary directory access to authenticated users.
As seen for instance at https://github.com/saltstack/salt/issues/57057
the vulnerabilities are being exploited in wild already; compromised
salt masters do allow attackers to run arbitrary commands on the minions
as root.
See also https://labs.f-secure.com/advisories/saltstack-authorization-bypass .
Cheers,
--
Guilhem.
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions salt/2016.11.2+ds-1+deb9u2.
Request was from Guilhem Moulin <guilhem@debian.org>
to submit@bugs.debian.org.
(Sun, 03 May 2020 23:39:03 GMT) (full text, mbox, link).
Marked as found in versions salt/2014.1.13+ds-3.
Request was from Guilhem Moulin <guilhem@debian.org>
to submit@bugs.debian.org.
(Sun, 03 May 2020 23:39:04 GMT) (full text, mbox, link).
Marked as fixed in versions salt/3000.2+dfsg1-1.
Request was from Guilhem Moulin <guilhem@debian.org>
to control@bugs.debian.org.
(Sun, 03 May 2020 23:45:04 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 04 May 2020 03:09:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon May 4 10:20:08 2020;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon