SaltStack Salt SSH Command Injection Vulnerability (CVE-2020-16846)
Recently, a command injection vulnerability was disclosed in SaltStack configuration management tool.
SaltStack is a python-based automation framework that allows developers to build event based automation. SaltStack uses the terms "master" to describe the component that schedules and manages the executed jobs and "minion" to describe the workers that executes those jobs.
SaltStack supports several methods of managing "minions", one of those methods is over an SSH connection and that is where the vulnerability resided. To allow the "master" to connect to the "minion" over the SSH protocol the SaltStack SSH library uses the "ssh-keygen" tool in order to generate the key to be used by the "master". One of the methods to trigger such SSH connection between the “master” and the “minion” is by sending an HTTP request to the “/run” endpoint of the Salt API server.
Before the patch the command would run using the system shell which made it vulnerable to command injections.
Figure 1: The vulnerable "gen_key" method
When triggering the vulnerable code we can see that we can indeed inject a new arbitrary command to the existing "ssh-keygen" command executed by SaltStack SSH library.
Figure 2: Arbitrary command injected to the "ssh-keygen" command
SaltStack fixed the way the command is executed by the API. The patched version no longer uses the system shell in order to execute the command. Furthermore, to prevent a possible shell argument injection, SaltStack API is now using a safer way to pass arguments as an array to the safer “subprocess.call” function.
Figure 3: The patched "gen_key" method
Mitigation with Advanced WAF
Advanced WAF customers under any supported version are already protected against this vulnerability as the Proof of Concept exploit of the vulnerability is detected by existing Command Execution signatures. We will also work to release a dedicated signature for this vulnerability in the next ASM Security Update.
Figure 4: Exploitation attempt blocked with attack signature 200003069
Figure 5: Exploitation attempt blocked with attack signature 200003693