[kwlug-disc] Saltstackgeddon

Paul Nijjar paul_nijjar at yahoo.ca
Wed May 6 14:34:51 EDT 2020


While looking for something else I learned that there were huge
vulnerabilities found in Saltstack at the end of April: 


https://saltexploit.com/

https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/

The tl;dr is that if your salt-master is accessible on the Internet
(via the Salt port) then ALL of your minions are compromised. At
best they are now cryptocurrency mining rigs. At worst all of your
server data (private keys, databases, etc) are now gone.

Holy cow do I have egg on my face now. Our Saltstack infrastructure is
behind a firewall and only accessible via VPN, and as far as I can
tell we have not been exploited. I am still frightened. 

What is most frustrating is that I found this accidentally. If I try
to subscribe to CVE lists I get overwhelmed with noise. But when these
level 10 vulnerabilities hit I do not find out about them. 

What is almost most frustrating is that Ubuntu and Debian packages are
affected but there have been no official patches released. 

What is moderately frustrating is that I have been pushing
configuration management at my workplace for a long time, and now I
look like a careless idiot for building something that has a single
point of failure.

- Paul

-- 
Events: https://feeds.off-topic.kwlug.org 
Blog: http://pnijjar.freeshell.org




More information about the kwlug-disc mailing list