The Salt Project has patched a privilege escalation bug impacting SaltStack Salt minions that could be used during a wider exploit chain.
SaltStack’s Salt is an open source project and software designed for automation and infrastructure management.
The vulnerability, CVE-2020-28243, is described as a privilege escalation bug impacting SaltStack Salt minions allowing an unprivileged user to create files in any non-blacklisted directory via a command injection in a process name. This bug as a severity raring of 7.0.
Salt includes a master system and minions, of which the latter facilitates commands sent to the master, and both often run as root. Researchers discovered a command injection vulnerability in minions when the master system summons a process called restartcheck. Exploits can be triggered if attackers use crafted process names, permitting local users to escalate their privileges on root as long as they are able to create files on a minion in a non-forbidden directory.
The researcher noted it may also be possible to perform container escapes, including performing the exploit “within a container to gain command execution as root on the host machine.” this can be performed without local shell access but quite difficult
The Salt Project resolved the vulnerability in a February security release. The group also patched other high-impact bugs including CVE-2021-3197, a shell injection flaw in Salt-API’s SSH client; CVE-2021-25281, an eAuth security issue that could allow remote attackers to run any wheel modules on the master, and CVE-2021-25283, a failure to protect against server-side template injection attacks