DetectionĪ scan revealed over 6,000 instances of this service exposed to the public Internet.
#F secure serial key 2018 Patch
A patch release for the previous major release version is also available, with version number 2019.2.4.Īdding network security controls that restrict access to the salt master (ports 45 being the defaults) to known minions, or at least block the wider Internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks. SaltStack engineers patched these vulnerabilities in release 3000.2 and users of Salt are encouraged to make sure that their installs are configured to automatically pull updates from SaltStacks repository server, see for more information. parameters in network requests) was not sanitized correctly allowing unconstrained access to the entire filesystem of the master server. One being authentication bypass where functionality was unintentionally exposed to unauthenticated network clients, the other being directory traversal where untrusted input (i.e. The vulnerabilities, allocated CVE ids CVE-2020-11651 CVE-2020-11652, are of two different classes. The impact is full remote command execution as root on both the master and all minions that connect to it. The vulnerabilities described in this advisory allow an attacker who can connect to the "request server" port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the "master" server filesystem and steal the secret key used to authenticate to the master as root.
The master exposes two ZeroMQ instances, one called the "request server" where minions can connect to report their status (or the output of commands) and one called the "publish server" where the master publishes messages that the minions can connect and subscribe to. The default communication protocol in salt is ZeroMQ. Typically, such messages are updates to the configuration of a selection of servers, but they can also be used to run the same command in parallel over multiple, even all, managed systems asynchronously.
#F secure serial key 2018 update
Each server runs an agent called a "minion" which connects to a "master", a Salt installation that collects state reports from minions and publishes update messages that minions can act on. Salt is used to monitor and update the state of servers. The open source Salt project ( ) is at the heart of SaltStack's (the company) product offerings but is also very popular as a configuration tool to manage servers in datacenters and cloud environments. F-Secure consultants discovered a number of vulnerabilities in the "Salt" management framework by the company SaltStack.