back to article Salt peppered with holes? Automation tool vulnerable to auth bypass: Patch now

The Salt configuration tool has patched two vulnerabilities whose combined effect was to expose Salt installations to complete control by an attacker. A patch for the issues was released last night, but systems that are not set to auto-update may still be vulnerable. The vulnerabilities were discovered by security company F- …

  1. Version 1.0 Silver badge
    Pint

    I've not seen this problem before

    A login vulnerability that exposes everything? When has this ever happened in the past? What a surprise, I can't believe that anyone would create login code and not thoroughly test it for remote access failings before releasing it.

    Oh wait, I've been cleaning my system out with IPA alcohol, it seems to be disinfacting my memory, I'll get back to work, writing the code for our new corporate remote access login.

  2. Jason Bloomberg Silver badge

    On the ball

    This typo breaks the publish module's runner method," the docs stated. This may well break scripts in use. A fix for this is promised "in mid-June 2020."

    Six weeks to release a fix for a simple typo?

  3. anthonyhegedus Silver badge

    All we need is a bunch of nasty ransomware infections distributed across home PCs all over the place.

  4. Charlie Clark Silver badge

    Hold your horses

    Exposing a Salt master to the internet is not best practice and firewall security should be implemented.

    Anything that can be remotely configured using Salt, Ansible, etc. should never publicly allow root login without secure authentication. Generally, however, the scripts are limited to setting new instances up.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hold your horses

      Just to reiterate:

      "Exposing a Salt master to the internet is not best practice and firewall security should be implemented."

      In terms of tasks, you should have more than just setup scripts - there will likely be inventory and validation scripts to make sure your clients are working as expected. If you can get a job injected into the Salt master, it will likely distribute your exploit far and wide.

      I feel that its worth mentioning something about the wisdom of allowing your configuration management servers to be publicly accessible on the Internet. Wait....if I say it's part of an IoT deployment that will make it ok.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020