Skip to main content

Attackers Exploit Two Vulnerabilities in SaltStack to Publish Arbitrary Control Messages and Much More


CISA has sent warnings to the users regarding two critical vulnerabilities in SaltStack Salt, an open-source remote task and configuration management framework that has been actively exploited by cybercriminals, leaving around thousands of cloud servers across the globe exposed to the threat.

The vulnerabilities that are easy to exploit are of high-severity and researchers have labeled them as particularly 'dangerous'. It allows attackers to execute code remotely with root privileges on Salt master repositories to carry out a number of commands.

Salt is employed for the configuration, management, and monitoring of servers in cloud environments and data centers. It provides the power of automation as it scans IT systems to find vulnerabilities and then brings automation workflows to remediate them. It gathers real-time data about the state of all the aspects and it employs effective machine learning and industry expertise to examine threats more precisely. In a way, it is used to check installed package versions on all IT systems, look out for vulnerabilities, and then remediate them by installing fixes.

The two vulnerabilities, the first one called CVE-2020-11651 is an authentication bypass flaw and the other one CVE-2020-11652 is a directory transversal flaw, as per the discovery made by F-Secure researchers. The attackers can bypass all authentication and authorization controls by exploiting the vulnerabilities that would allow them to easily connect to the request server. Once the authentication is bypassed, attackers can post arbitrary control messages and make changes in the master server file system. All Salt versions prior to 2019.2.4 and 3000.2 are affected by the vulnerabilities.

Xen Orchestra, an effective all in one user-friendly web-based management service became the latest victim of cybercriminals involved in the exploitation of the two high-severity vulnerabilities in Salt. The attackers ran a cryptominer on the firm's virtual machines (VMs), it has been noticed by the company on the 3rd of May as various services on their infrastructure became inaccessible.

While commenting on the matter, Olivier Lambert, Xen Orchestra's founder, said, “A coin mining script ran on some of our VMs, and we were lucky nothing bad happened to us – no RPMs affected and no evidence that private customer data, passwords or other information have been compromised. GPG signing keys were not on any affected VMs. We don’t store any credit card information nor plain text credentials. Lesson learned...”

“In short, we were caught in a storm affecting a lot of people. We all have something in common: we underestimated the risk of having the Salt master accessible from outside,” he added. “Luckily, the initial attack payload was really dumb and not dangerous. We are aware it might have been far more dangerous and we take it seriously as a big warning. The malware world is evolving really fast: having an auto-update for our management software wasn’t enough."

“If you are running SaltStack in your own infrastructure, please be very careful. Newer payloads could be far more dangerous,” warned Lambert.


source https://www.ehackingnews.com/2020/05/attackers-exploit-two-vulnerabilities.html
Labels:

Comments

Post a Comment

Popular posts from this blog

Provider Volia reported to the cyber police about the intense cyberattacks on the server

Cable provider Volia appealed to the Cyber Police on the fact of fixing a DDoS attack on the Kharkov servers of the company, which has been ongoing since May 31. "For three days, from May 31 to today, the Volia infrastructure in Kharkov is subjected to cyberattacks. At first, they were carried out only on subscriber subsystems, later they switched to telecommunications infrastructure. As a result, more than 100,000 subscribers experienced problems using the Internet, IPTV, multi-screen platform, and digital TV," said the company. In total, the complete lack of access to Volia's services, according to the provider, lasted 12 minutes on May 31, 45 minutes on June 1. There was also an attack on the website volia.com, but it was managed to neutralize. "DDoS attacks were massive and well-organized. The type of attack is UDP flood and channel capacity overflow with the traffic of more than 200 GB. UDP is a protocol used for online streaming services - streaming, te...
Post a Comment
Read more

Information security experts have warned Russians about bonus card fraud schemes.

Fraudsters several thousand times tried to illegally take advantage of discount bonuses of Russians in 2019. Some attackers gained access to customers' personal accounts, and then bought the products using bonuses, said Alexey Sizov, head of the anti-fraud department of the Application Security Systems Center at Jet Infosystems. According to him, a fraudster can register a personal account on a card that was issued to another person. The victim will accumulate points without knowing about the existence of his profile, and the attacker will write off bonuses, said Sizov. The expert added that this is mainly done by novice scammers. According to him, loyalty programs are poorly protected, unlike banking operations. He said that they are estimated at 50 billion rubles ($760 milliard) for the 30 largest retailers. Alexey Fedorov, Chairman of the Business Russia Trade Committee, said that in 2019, the number of bonus and discount thefts "increased significantly." ...
Post a Comment
Read more

Apple Plans to Expand Cloud-Based Services, Enters Cloud Computing Space

Apple is planning to invest more in streamlines and increasing its cloud-based and software services like iCloud, Newsplus, and Apple Music. The expansion will go along with devices like iPads, MacBooks, and iPhones. To be entirely sure about the reliability of the cloud-based service on all the Apple devices, the company has decided to rely on AWS (Amazon Web Services) and the cloud division. AWS, as you might know, is a subunit of Amazon that offers cloud-space solutions. According to CNBC's findings, Apple is said to pay Amazon $30 Million monthly for its cloud-based services. It also means that Apple is one of the biggest customers of AWS. Nevertheless, Apple hasn't confirmed whether it uses Amazon's cloud services besides its iCloud. According to experts, Apple also has some of its cloud services on Google. Amazon transformed the management of the data center and hosting of the applications when it brought the AWS. Being the first one to offer services like these,...
Post a Comment
Read more