Coinminers Exploit SaltStack Vulnerabilities CVE-2020-11651 and CVE-2020-11652

By Govind Sarda and Suraj Sahu, Threat Researchers

Recently, researchers from F-Secure disclosed two high-severity vulnerabilities in SaltStack Salt: CVE-2020-11651, an authentication bypass vulnerability, and CVE-2020-11652, a directory traversal vulnerability. These can be exploited by remote, unauthenticated attackers, and all versions of SaltStack Salt before 2019.2.4 and 3000 before 3000.2 are affected. SaltStack also released a bulletin regarding these vulnerabilities. We have witnessed attacks exploiting these vulnerabilities, notably those using the cryptocurrency miners detected as Coinminer.Linux.KINSING.A, Coinminer.Linux.KINSING.B, Coinminer.Linux.KINSING.C, Coinminer.Linux.MALXMR.SMDSL64, and Coinminer.Linux.MALXMR.UWEKP.

SaltStack Salt is a Python-based, open-source software for event-driven IT automation, remote task execution, and configuration management. Its management framework is used in data centers and cloud servers. It is also an infrastructure as code (IaC) solution and is used in DevOps. We analyzed the critical vulnerabilities affecting Salt, their patches, and some threats exploiting them.

[Read: Security risks and best practices for using IaC tools and templates.]

CVE-2020-11651 and CVE-2020-11652

CVE-2020-11651 allows remote user access, and CVE-2020-11652 permits arbitrary directory access. We can take a look at Salt’s architecture to understand the vulnerabilities. Salt has a master-slave model where the master is called the salt master and the slaves are salt minions. The salt master is used to send commands and configurations to the salt minions. A single master can manage multiple minions.

Figure 1. Command execution model between the salt master and salt minions

In CVE-2020-11651, the salt master process, ClearFuncs, does not validate method calls properly. This class exposes two methods:

•  _prep_auth_info() method, which returns the user token (Root Key). Attackers can use the token to bypass authentication, resulting in remote command execution within the context of the Salt process on both the master and minions.
• _send_pub() method, which can be used to queue messages directly on the master publish server. Such messages can be used to trigger minions to run arbitrary commands as root.

To summarize, this vulnerability allows access to some methods without requiring authentication. This then can be used to retrieve user tokens from the salt master and run commands on salt master and salt minions.

CVE-2020-11652 is also related to the salt master process ClearFuncs; this time, it allows access to some methods that improperly sanitize paths. The salt wheel module contains commands used to read and write files under specific directory paths.  The get_token()method of the salt.tokens.localfs fails to sanitize the token input parameter, which is then used as a filename, allowing insertion of ".." path elements and thus reading of files outside of the intended directory. This occurs due to the failure to correctly sanitize the token input parameter, which is used as a filename with the only restriction is that the file has to be deserializable by salt.payload.Serial.loads(). This gives attackers a chance to rewrite path elements.

Patch Analysis

To fix the CVE-2020-11651 vulnerability, SaltStack has defined exposed methods that the user can specify in the cleartext messages. This is done through a new function called get_method()

Figure 2. Use of new function get_method()

Figure 3. The function get_method() checks exposed methods

Figure 4. Methods exposed to transport layer

To fix the CVE-2020-11652 vulnerability, SaltStack has sanitized paths in ClearFuncs methods provided by the salt master. This ensures that access to unintended files and directories are not allowed. They added two new functions: _realpath() to resolve any filesystem links, and clean_path() to verify paths.

Figure 5. The new _realpath() function, which resolves any filesystem links

Figure 6. The clean_path() function verifies that the path is under the said root

Figure 7.  Use of the clean_path()function to verify the path

Threats Exploiting CVE-2020-11651 and CVE-2020-11652

We have spotted coinminers actively exploiting CVE-2020-11651 and CVE-2020-11652, which we detect as follows:

• Coinminer.Linux.KINSING.A
• Coinminer.Linux.KINSING.B
• Coinminer.Linux.KINSING.C
• Coinminer.Linux.MALXMR.SMDSL64
• Coinminer.Linux.MALXMR.UWEKP

The tables below show data we recorded from May 3, only a few days after the vulnerability was disclosed. The File full path column pertains to the path where the malware is being dropped, process full path means the path of the binary file of the process execution, and platform count is the number of machines reported in this detection.

The file full path is either /tmp/salt-minions or /var/tmp/salt-store, while while the process full path was any of the following:

• [salt-store]
• /usr/bin/bash
• /usr/bin/md5sum
• /usr/bin/python2.7
• /usr/bin/wget
• /var/tmp/salt-store

Red Hat Enterprise Linux Server release 7.2 (Maipo) had the highest number of recorded detections at 315,265.

Figure 8. Detections with /tmp/salt-minions as file full path

Figure 9. Detections with /var/tmp/salt-store as file full path

Recommendations

Cybercriminals will always look for vulnerabilities to exploit. Vulnerabilities in one system can also be used to compromise other connected systems; for example, vulnerabilities in Salt may also expose the data stored in data centers and cloud servers to risk. Users should patch vulnerabilities in platforms and devices as soon as they can to strengthen security. Security solutions can also help defend against related threats.

The following Deep Security rulesprotect users from threats exploiting these vulnerabilities:

• 1010265 - SaltStack Salt Authorization Weakness Vulnerability (CVE-2020-11651)
• 1010266 - SaltStack Vulnerabilities Exploitation Detected
• 1010267 - SaltStack Salt Directory Traversal Vulnerability (CVE-2020-11652)

Below are the applicable Tipping Point rules:

• 37032 - HTTP: Backdoor.Linux.Kinsackor.A Runtime Detection
• 37750 - TCP: SaltStack Salt Authentication Bypass Vulnerability (CVE-2020-11651)
• 37782 - TCP: SaltStack Salt Directory Traversal Vulnerability (CVE-2020-11652)

For hybrid cloud environments, the Trend Micro™ Hybrid Cloud Security solution offers automated security within the DevOps pipeline. It is empowered by multiple XGen™ threat defense techniques for protecting runtime physical, virtual, and cloud workloads.

We also recommend Trend Micro Cloud One™ solutions, which help users simplify their hybrid and multi-cloud security. They can address workload, container, file object storage, serverless and application, and network security, along with security posture management. Trend Micro Cloud One™ – Workload Security secures modern data centers, including physical servers and software, virtual servers, and desktop. Trend Micro Cloud One^TM Network Security inspects network traffic without disrupting business operations, providing network layer protection and disruption for the multi-cloud environment.

Indicators of Compromise