Salt is a popular framework for configuration management and remote orchestration for any infrastructure or application stack. SaltStack, the company that created Salt, identified a critical security vulnerability in Salt last week, that allows full remote code execution as root on servers managed by the framework. The vulnerability is easily exploitable if a Salt Master is exposed to the open internet. This article describes the vulnerability and corresponding CVEs in detail and software patches that the company has released to mitigate the vulnerability.
According to F-Secure researchers, a preliminary scan revealed more than 6,000 potentially vulnerable Salt instances exposed to the public internet, due to its popularity in cloud environments like AWS and GCP. The research report also highlights that in addition to patching Salt deployments, customers should restrict access to Salt master ports 4505 and 4506 (on default configurations), or at least block the hosts off from the open internet.
For organizations using public cloud providers, investigating public port access of Salt Servers can become a tedious task, especially for larger organizations with cloud resources spread across multiple accounts. To speed up this process, CloudHealth Secure State provides an intelligent security platform with deep insights into an organization’s cloud resources and configuration.
Once an organization is on-boarded, CloudHealth Secure State kicks off the inventory process that involves discovering cloud resources from customer’s cloud accounts and storing them in the service backend. The inventory process results in generating a interconnected security model of discovered cloud resources. This data layer is foundational to CloudHealth Secure State and can be visualized and queried in the “Explore” tab of the Service.
The Explore view that visualizes the resource graph can be utilized by customers to quickly answer complex questions such as: Find all EC2 instances that are connected to a security group with open access to Ports 4505 and 4506 (Figure A). The query would look like this:
CloudHealth Secure State also exposes public APIs that can be leveraged to query and aggregate resource config data for the customer organization. Using these APIs customers can ask questions to get a breakdown by cloud account of number of security groups with open access to Ports 4505 and 4506.
To talk to a CloudHealth Secure State expert and learn how we can help you detect cloud security vulnerabilities, visit https://go.cloudhealthtech.com/vmware-secure-state