Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/rossengeorgiev/salt-security-backports
Salt security backports for CVE-2020-11651 & CVE-2020-11652
https://github.com/rossengeorgiev/salt-security-backports
cve-2020-11651 cve-2020-11652 salt saltstack
Last synced: about 2 months ago
JSON representation
Salt security backports for CVE-2020-11651 & CVE-2020-11652
- Host: GitHub
- URL: https://github.com/rossengeorgiev/salt-security-backports
- Owner: rossengeorgiev
- Archived: true
- Created: 2020-05-01T20:53:49.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2020-05-18T17:36:18.000Z (over 4 years ago)
- Last Synced: 2024-09-22T20:01:40.900Z (about 2 months ago)
- Topics: cve-2020-11651, cve-2020-11652, salt, saltstack
- Language: Python
- Homepage: https://docs.saltstack.com/en/latest/topics/releases/3000.2.html
- Size: 29.3 KB
- Stars: 108
- Watchers: 8
- Forks: 17
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
Official patches for previous versions can be requested at: https://www.saltstack.com/lp/request-patch-april-2020/
⚠ Patches here are custom, and may differ from official ones ⚠
# Backported security patches for unsupported salt versions
[](https://travis-ci.org/rossengeorgiev/salt-security-backports)
Patches in this repo address the following CVEs:
* CVE-2020-11651 & CVE-2020-11652 - https://labs.f-secure.com/advisories/saltstack-authorization-bypass
Additionally include the following bugfixes:
* fix typo `_minion_runner` -> `minion_runner`. See: https://docs.saltstack.com/en/latest/topics/releases/3000.2.html#known-issue
* fix type `_find_file_and_stat` -> `_find_hash_and_stat`. See https://github.com/rossengeorgiev/salt-security-backports/issues/1
* removal of `run_func` from whitelist
* missing `import salt.utils.verify`
Above fixed are included in latest release of SaltStack, specifically `v2019.2.5` and `v3000.3`.
# Check if your salt-master is vulnerable
Check script needs to be ran locally on your salt-master as `root`
```bash
python salt-cve-check.py
```
Example output for Salt 2017.7.8:
```bash
[+] Salt version: 2017.7.8
[ ] This version of salt is vulnerable! Check results below
[+] Checking salt-master (127.0.0.1:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... YES
[+] Checking if vulnerable to CVE-2020-11652 (read_token)... YES
[+] Checking if vulnerable to CVE-2020-11652 (read)... YES
[+] Checking if vulnerable to CVE-2020-11652 (write1)... YES
[+] Checking if vulnerable to CVE-2020-11652 (write2)... YES
```
# Applying the patches
```bash
# locate the salt package directory (use python3 if necessary)
python -c "import imp; print(imp.find_module('salt')[1])"
# in my case: /usr/lib/python2.7/dist-packages/salt
# apply patches
# (adding -b flag will backup file before modifications at same path with .orig suffix)
# (patch can be reversed running the same command with -R flag)
patch -p2 -d /usr/lib/python2.7/dist-packages/salt < 2017.7.8_CVE-2020-11651.patch
patch -p2 -d /usr/lib/python2.7/dist-packages/salt < 2017.7.8_CVE-2020-11652.patch
# restart salt-master
systemctl restart salt-master
# or
service salt-master restart
```
Rerun the check script:
```bash
user@salt # python salt-cve-check.py
[+] Salt version: 2017.7.8
[ ] This version of salt is vulnerable! Check results below
[+] Checking salt-master (127.0.0.1:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... NO
[+] Checking if vulnerable to CVE-2020-11652 (read_token)... NO
[+] Checking if vulnerable to CVE-2020-11652 (read)... NO
[+] Checking if vulnerable to CVE-2020-11652 (write1)... NO
[+] Checking if vulnerable to CVE-2020-11652 (write2)... NO
```