SaltStack Salt SSH Command Injection Vulnerability (CVE-2020-16846)
Recently, a command injection vulnerability was disclosed in SaltStack configuration management tool. SaltStack is a python-based automation framework that allows developers to build event based automation. SaltStack uses the terms "master" to describe the component that schedules and manages the executed jobs and "minion" to describe the workers that executes those jobs. SaltStack supports several methods of managing "minions", one of those methods is over an SSH connection and that is where the vulnerability resided. To allow the "master" to connect to the "minion" over the SSH protocol the SaltStack SSH library uses the "ssh-keygen" tool in order to generate the key to be used by the "master". One of the methods to trigger such SSH connection between the “master” and the “minion” is by sending an HTTP request to the “/run” endpoint of theSalt API server. Before the patch the command would run using the system shell which made it vulnerable to command injections. Figure 1: The vulnerable "gen_key" method When triggering the vulnerable code we can see that we can indeed inject a new arbitrary command to the existing "ssh-keygen" command executed by SaltStack SSH library. Figure 2: Arbitrary command injected to the "ssh-keygen" command SaltStack fixed the way the command is executed by the API. The patched version no longer uses the system shell in order to execute the command. Furthermore, to prevent a possible shell argument injection, SaltStack API is now using a safer way to pass arguments as an array to the safer “subprocess.call” function. Figure 3: The patched "gen_key" method MitigationwithAdvanced WAF Advanced WAFcustomers under any supportedversion are already protected against this vulnerabilityas theProof of Concept exploitof the vulnerabilityis detected by existing Command Executionsignatures.We will also work to release a dedicated signature for this vulnerability in the next ASM Security Update. Figure 4: Exploitation attempt blocked with attack signature 200003069 Figure 5: Exploitation attempt blocked with attack signature 200003693
