On Thursday, April 30, two high-severity CVEs in the SaltStack platform were published by researchers at F-Secure [1]. These vulnerabilities can enable RCE on the Salt leader node, resulting in a full compromise of the host.
Salt has since published updates [2] that patch these vulnerabilities. However, over the last few days, there has been a steady increase in the number of companies reporting unpatched, compromised SaltStack instances [3].
While the updates should be installed immediately, infrastructure operators should also take this opportunity to ensure their Salt environments are not exposed publicly, which is a key component of this attack vector.
Aqua Cloud has released three new plugins for its CSPM product to help address these issues, which are being enabled immediately for our customers. These plugins detect the exposure of ports 4505 and 4506 to the public internet (0.0.0.0/0) via instance security group rules. These nodes should have their security groups updated to only allow traffic from known IP addresses belonging to the Salt minions and required administrative endpoints.
1. AWS EC2 Open Salt
2. Azure Network Security Groups Open Salt
3. Google VPC Network Open Salt
These plugins are also available via CloudSploit, our open source CSPM auditing tool [4].
[1] https://labs.f-secure.com/advisories/saltstack-authorization-bypass
[3] https://www.cbronline.com/news/salt-bug
[4] https://github.com/cloudsploit/scans/blob/master/plugins/aws/ec2/openSalt.js