[BreachExchange] Hackers breached six Cisco servers through SaltStack Salt vulnerabilities

[Destry Winant]

https://www.helpnetsecurity.com/2020/05/29/cisco-saltstack-salt/

Earlier this month, when F-Secure publicly revealed the existence of
two vulnerabilities affecting SaltStack Salt and attackers started
actively exploiting them, Cisco was among the victims.

The revelation was made on Thursday, when Cisco published an advisory
saying that, on May 7, 2020, they’ve discovered the compromise of six
of their salt-master servers, which are part of the Cisco VIRL-PE
(Internet Routing Lab Personal Edition) service infrastructure.

About SaltStack Salt, the vulnerabilities, and the problem with patching

SaltStack Salt is open source software that is used for managing and
monitoring servers in datacenters and cloud environments. It is
installed on a “master” server and it manages “minion” servers via an
API agent.

The two recently revealed vulnerabilities – CVE-2020-11651 (an
authentication bypass flaw) and CVE-2020-11652 (a directory traversal
flaw) – can be exploited by unauthenticated, remote attackers to
achieve RCE as root on both masters and minions.

The flaws were fixed in late April, but not all exposed Salt servers
have been patched. A few weeks ago, Censys put the number of
potentially vulnerable, internet-exposed Salt servers at 2,928.

One of the things that likely prolonged the deployment of patches is
the fact that Salt is integrated in other solutions, and developers of
those solutions took some time to push out security updates.

VMware vRealize Operations Manager is one of those solutions, and so
are two network architecture modeling and testing solutions by Cisco.

Cisco’s breach

“Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual
Internet Routing Lab Personal Edition (VIRL-PE) incorporate a version
of SaltStack that is running the salt-master service that is affected
by these vulnerabilities,” Cisco shared.

“Cisco infrastructure maintains the salt-master servers that are used
with Cisco VIRL-PE. Those servers were upgraded on May 7, 2020. Cisco
identified that the Cisco maintained salt-master servers that are
servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised.”

The company has remediated the affected servers on the same day and
has provided software updates that address these vulnerabilities, so
that enterprise admins that installed these solutions on-premises can
fix them.

For more information about which software releases are affected and
under what conditions, admins should peruse the advisory, which also
offers some workarounds.

Cisco did not say what the attackers ultimate goal was, but in
previously disclosed attacks, their intent was to install cryptocoin
miners.