Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

SaltStack Salt SSH Command Injection Vulnerability (CVE-2020-16846)

Gal_Goldshtein
F5 Employee
F5 Employee

on ‎16-Nov-2020 18:48

Recently, a command injection vulnerability was disclosed in SaltStack configuration management tool.


SaltStack is a python-based automation framework that allows developers to build event based automation. SaltStack uses the terms "master" to describe the component that schedules and manages the executed jobs and "minion" to describe the workers that executes those jobs.  


SaltStack supports several methods of managing "minions", one of those methods is over an SSH connection and that is where the vulnerability resided. To allow the "master" to connect to the "minion" over the SSH protocol the SaltStack SSH library uses the "ssh-keygen" tool in order to generate the key to be used by the "master". One of the methods to trigger such SSH connection between the “master” and the “minion” is by sending an HTTP request to the “/run” endpoint of the Salt API server. 


Before the patch the command would run using the system shell which made it vulnerable to command injections. 


0151T000003q0VmQAI.PNG

Figure 1: The vulnerable "gen_key" method


When triggering the vulnerable code we can see that we can indeed inject a new arbitrary command to the existing "ssh-keygen" command executed by SaltStack SSH library.


0EM1T000002JIel.png

Figure 2: Arbitrary command injected to the "ssh-keygen" command 


SaltStack fixed the way the command is executed by the API. The patched version no longer uses the system shell in order to execute the command. Furthermore, to prevent a possible shell argument injection, SaltStack API is now using a safer way to pass arguments as an array to the safer “subprocess.call” function.


0EM1T000002JIem.png

Figure 3: The patched "gen_key" method


Mitigation with Advanced WAF 

Advanced WAF customers under any supported version are already protected against this vulnerability as the Proof of Concept exploit of the vulnerability is detected by existing Command Execution signatures. We will also work to release a dedicated signature for this vulnerability in the next ASM Security Update.


0151T000003q0VxQAI.PNG

Figure 4: Exploitation attempt blocked with attack signature 200003069 


0151T000003q0W1QAI.PNG

Figure 5: Exploitation attempt blocked with attack signature 200003693

Labels:
0 Kudos
Version history
Last update:
‎16-Nov-2020 18:48
Updated by:
F5 Employee
Contributors
Copyright © 2023 Khoros, LLC