SB2023110714 - Gentoo update for Salt

Description

This security bulletin contains information about 17 secuirty vulnerabilities.

1) Security restrictions bypass (CVE-ID: CVE-2020-28243)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation. A remote user can create files in any non-blacklisted directory via a command injection in a process name.

2) Improper Certificate Validation (CVE-ID: CVE-2020-28972)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to absent validation of SSL/TLS certificates. A remote attacker can perform MitM attack.

3) Improper Certificate Validation (CVE-ID: CVE-2020-35662)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to improper TLS certificate validation. A remote attacker can force the application to accept an untrusted certificate and perform MitM attack.

4) Improper Authentication (CVE-ID: CVE-2021-3144)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests for expired eauth tokens. A remote attacker can re-use one more time expired eauth tokens to run command against the salt master or minions.

5) Command Injection (CVE-ID: CVE-2021-3148)

The vulnerability allows a remote user to execute arbitrary commands within the application.

The vulnerability exists due to improper input validation, related to handling single and double quotes, within the salt.utils.thin.gen_thin() function in salt/utils/thin.py. A remote user can send a specially crafted HTTP request to the SaltAPI and execute arbitrary commands.

6) OS Command Injection (CVE-ID: CVE-2021-3197)

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation within the salt-api ssh client. A remote attacker can include the ProxyCommand in an argument, or via ssh_options provided in an API request and execute arbitrary commands on the system.

7) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2021-21996)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to the way Salt download URL. A local user with control over the file source URL and its source_hash URL can gain full file system access as root on a salt minion.

8) Improper access control (CVE-ID: CVE-2021-25281)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. The salt-api does not honor eauth credentials for the wheel_async client. A remote attacker can remotely run any wheel modules on the master.

9) Path traversal (CVE-ID: CVE-2021-25282)

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within the salt.wheel.pillar_roots.write method. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.

10) Code Injection (CVE-ID: CVE-2021-25283)

The vulnerability allows a user attacker to perform server-side template injection attacks.

The vulnerability exists due to improper input validation. A remote user can send a specially crafted request and execute arbitrary code on the target system via the SaltAPI fix directory traversal in wheel.pillar_roots.write (described in #VU50980).

11) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2021-25284)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to salt.modules.cmdmod stores sensitive information, such as passwords into the /var/log/salt/minion file. A local user can read the log files and gain access to sensitive data.

12) Command Injection (CVE-ID: CVE-2021-31607)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to command injection in the snapper module. A local user can escalate privileges on a minion.

13) Cryptographic issues (CVE-ID: CVE-2022-22934)

The vulnerability allows a remote attacker to manipulate data.

The vulnerability exists due to Salt Masters do not sign pillar data with the minion’s public key. A remote attacker can manipulate arbitrary pillar data.

14) Insufficient verification of data authenticity (CVE-ID: CVE-2022-22935)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper verification of data authenticity. A remote attacker with ability to perform MitM attack can impersonate a master and force a minion process to stop.

15) Authentication Bypass by Capture-replay (CVE-ID: CVE-2022-22936)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to improper authentication in jobs. A remote attacker can perform a replay attack and force minions to run old jobs.

16) Incorrect permission assignment for critical resource (CVE-ID: CVE-2022-22941)

The vulnerability allows a remote user to compromise third-party minions.

The vulnerability exists due to improper permissions checks. A remote user can target any minion connected to the Syndic when configured as a Master-of-Masters, bypass publisher_acl and execute on any configured minion.

17) Improper Authentication (CVE-ID: CVE-2022-22967)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to a missing check for PAM_ACCT_MGM return value. A remote user whose account is locked can continue to run Salt commands.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/glsa/202310-22