Alerts This Week
Warning Icon 1 1,146
Alerts This Week
Warning Icon 1 1,146

Ubuntu 18.04 LTS: USN-4459-1 Critical: Salt Command Injection

ubuntu
Calendar Grey August 14, 2020
Dist Ubuntu Esm H88
Ensure your Ubuntu setups are updated to address Salt vulnerabilities that could result in unauthorized code execution and sensitive data leaks.
Several security issues were fixed in Salt.

Summary

Several security issues were fixed in Salt.

Software Description:

- salt: Infrastructure management built on a dynamic communication bus

Details:

It was discovered that Salt allows remote attackers to determine which files

exist on the server. An attacker could use that to extract sensitive

information. (CVE-2018-15750)

It was discovered that Salt has a vulnerability that allows an user to bypass

authentication. An attacker could use that to extract sensitive information,

execute abritrary code or crash the server. (CVE-2018-15751)

It was discovered that Salt is vulnerable to command injection. This allows

an unauthenticated attacker with network access to the API endpoint to

execute arbitrary code on the salt-api host. (CVE-2019-17361)

It was discovered that Salt incorrectly validated method calls and

sanitized paths. A remote attacker could possibly use this issue to access

some methods without authentication. (CVE-2020-11651, CVE-2020-11652)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
  salt-api                        2017.7.4+dfsg1-1ubuntu18.04.2
  salt-common                     2017.7.4+dfsg1-1ubuntu18.04.2
  salt-master                     2017.7.4+dfsg1-1ubuntu18.04.2
  salt-minion                     2017.7.4+dfsg1-1ubuntu18.04.2

Ubuntu 16.04 LTS:
  salt-api                        2015.8.8+ds-1ubuntu0.1
  salt-common                     2015.8.8+ds-1ubuntu0.1
  salt-master                     2015.8.8+ds-1ubuntu0.1
  salt-minion                     2015.8.8+ds-1ubuntu0.1

After a standard system update you need to restart salt to make all the
necessary changes.

References

https://ubuntu.com/security/notices/USN-4459-1

CVE-2018-15750, CVE-2018-15751, CVE-2019-17361, CVE-2020-11651,

CVE-2020-11652

Severity
critical
Lowest
Low
Medium
High
Critical

August 13, 2020

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here