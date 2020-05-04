Cisco security breach hits corporate servers that ran unpatched software:
Six servers Cisco uses to provide a virtual networking service were compromised by hackers who exploited critical flaws contained in unpatched versions the open source software service relies on, the company disclosed on Thursday.
The May 7 compromise hit six Cisco servers that provide backend connectivity to the Virtual Internet Routing Lab Personal Edition (VIRL-PE), a Cisco service that lets customers design and test network topologies without having to deploy actual equipment. Both the VIRL-PE and a related service, Cisco Modeling Labs Corporate Edition, incorporate the Salt management framework, which contained a pair of bugs that, when combined, was critical. The vulnerabilities became public on April 30.
[...] Cisco said that without updates, any VIRL-PE or CML products that are deployed in standalone or cluster configurations will remain vulnerable to the same sorts of compromises. The company released software updates for the two vulnerable products. Cisco rated the severity of the vulnerabilities with a ranking of 10 out of 10 on the CVSS scale.
The Salt vulnerabilities are CVE-2020-11651, an authentication bypass, and CVE-2020-11652, a directory traversal. Together, they allow unauthorized access to the entire file system of the master salt server that services using Salt rely on. F-Secure, the firm that discovered the vulnerabilities, has a good description of them here.
Salt is described as "Software to automate the management and configuration of any infrastructure or application at scale."
Additional Info: https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/
Previously:
(2020-05-04) Recent Salt Vulnerabilities Exploited to Hack LineageOS, Ghost, DigiCert Servers
Related Stories
Recent Salt Vulnerabilities Exploited to Hack LineageOS, Ghost, DigiCert Servers
Over the past several days, hackers have exploited two recently disclosed Salt vulnerabilities to compromise the servers of LineageOS, Ghost and DigiCert.
Managed by SaltStack, Salt is an open-source configuration tool to monitor and update the state of servers in both datacenters and cloud environments. Called minions, agents installed on servers connect to a master to deliver state reports (to a "request server") and receive updates (from a "publish server").
Last week, F-Secure security researchers disclosed two vulnerabilities in Salt (CVE-2020-11651 and CVE-2020-11652) that could allow remote attackers to execute commands as root on "master" and connected minions. The most severe of the bugs has a CVSS score of 10.
The vulnerabilities could allow an attacker to bypass authentication and authorization controls, "and publish arbitrary control messages, read and write files anywhere on the 'master' server filesystem and steal the secret key used to authenticate to the master as root," F-Secure said last week.
The security firm warned that attackers would likely devise exploits for the vulnerabilities within 24 hours after the report became public: "Patch by Friday or compromised by Monday," F-Secure Principal Consultant Olle Segerdahl said on Thursday.
Over the weekend, attacks looking to exploit the two security flaws were observed, with LineageOS, Ghost, and DigiCert being among the first to fall victim.
[...] SaltStack released patches for the vulnerabilities last week, with Salt version 3000.2 addressing them. Salt version number 2019.2.4, which was released for the previous major version of the tool, also includes the patches.
Related: Critical Vulnerability in Salt Requires Immediate Patching
See notices from LineageOS, Ghost, and DigiCert.
Also at: The Register.
Separately, RamNode, who hosts our backups server, sent an email reporting they also got hit:
