SB2021022626 - SUSE update for salt

Description

This security bulletin contains information about 10 secuirty vulnerabilities.

1) Security restrictions bypass (CVE-ID: CVE-2020-28243)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation. A remote user can create files in any non-blacklisted directory via a command injection in a process name.

2) Improper Certificate Validation (CVE-ID: CVE-2020-28972)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to absent validation of SSL/TLS certificates. A remote attacker can perform MitM attack.

3) Improper Certificate Validation (CVE-ID: CVE-2020-35662)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to improper TLS certificate validation. A remote attacker can force the application to accept an untrusted certificate and perform MitM attack.

4) Improper access control (CVE-ID: CVE-2021-25281)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. The salt-api does not honor eauth credentials for the wheel_async client. A remote attacker can remotely run any wheel modules on the master.

5) Path traversal (CVE-ID: CVE-2021-25282)

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within the salt.wheel.pillar_roots.write method. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.

6) Code Injection (CVE-ID: CVE-2021-25283)

The vulnerability allows a user attacker to perform server-side template injection attacks.

The vulnerability exists due to improper input validation. A remote user can send a specially crafted request and execute arbitrary code on the target system via the SaltAPI fix directory traversal in wheel.pillar_roots.write (described in #VU50980).

7) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2021-25284)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to salt.modules.cmdmod stores sensitive information, such as passwords into the /var/log/salt/minion file. A local user can read the log files and gain access to sensitive data.

8) Improper Authentication (CVE-ID: CVE-2021-3144)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests for expired eauth tokens. A remote attacker can re-use one more time expired eauth tokens to run command against the salt master or minions.

9) Command Injection (CVE-ID: CVE-2021-3148)

The vulnerability allows a remote user to execute arbitrary commands within the application.

The vulnerability exists due to improper input validation, related to handling single and double quotes, within the salt.utils.thin.gen_thin() function in salt/utils/thin.py. A remote user can send a specially crafted HTTP request to the SaltAPI and execute arbitrary commands.

10) OS Command Injection (CVE-ID: CVE-2021-3197)

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation within the salt-api ssh client. A remote attacker can include the ProxyCommand in an argument, or via ssh_options provided in an API request and execute arbitrary commands on the system.

Remediation

Install update from vendor's website.

References

• https://www.suse.com/support/update/announcement/2021/suse-su-20210628-1/