IQID:22825 HTTP SaltStack Salt API Unauthenticated Remote Command Execution S

IQID: 22825 - April 2021

This Metasploit module leverages an authentication bypass and directory traversal vulnerabilities in Saltstack Salt's REST API to execute commands remotely on the master as the root user. Every 60 seconds, salt-master service performs a maintenance process check that reloads and executes all the grains on the master, including custom grain modules in the Extension Module directory. So, this module simply creates a Python script at this location and waits for it to be executed. The time interval is set to 60 seconds by default but can be changed in the master configuration file with the loop_interval option. Note that, if an administrator executes commands locally on the master, the maintenance process check will also be performed. It has been fixed in the following installation packages: 3002.5, 3001.6 and 3000.8. Also, a patch is available for the following versions: 3002.2, 3001.4, 3000.6, 2019.2.8, 2019.2.5, 2018.3.5, 2017.7.8, 2016.11.10, 2016.11.6, 2016.11.5, 2016.11.3, 2016.3.8, 2016.3.6, 2016.3.4, 2015.8.13 and 2015.8.10. This module has been tested successfully against versions 3001.4, 3002 and 3002.2 on Ubuntu 18.04.

A Full Description is available for this threat, please sign in for access to Full Description.

 

Attack Data

Attack Data is available for this threat, please sign in for access to Attack Data.

 

CVSS Information

CVSS Information is available for this threat, please sign in for access to CVSS Information.

 

Date

Date Information is available for this threat, please sign in for access to Date Information.

 

External Resources

External resources are available for this threat, please sign in for access to external resources.