Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 767919 (CVE-2020-28243, CVE-2020-28972, CVE-2020-35662, CVE-2021-25281, CVE-2021-25282, CVE-2021-25283, CVE-2021-25284, CVE-2021-3144, CVE-2021-3148, CVE-2021-3197)

Summary: <app-admin/salt-{3000.8,3001.6,3002.5}: Multiple vulnerabilities (CVE-2020-{28243,28972,35662}, CVE-2021-{3144,3148,3197,25281,25282,25283,25284})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: chutzpah
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa cve]
Package list:
Runtime testing required: ---

Description Sam James archtester gentoo-dev Security 2021-01-30 05:51:28 UTC
Details not yet published: https://saltproject.io/active-saltstack-cve-announced-2021-jan-21/.

"Most of these, we expect the Common Vulnerability Scoring System (CVSS) rating to be high or critical. We quickly took actions to remediate once made aware of the vulnerabilities.

We are preparing a CVE release to be generally available on Thursday, February 4th around Noon MST. The CVE packages will be available for 3002.3, 3001.5, and 3000.7 and patches for older versions."
Comment 1 Larry the Git Cow gentoo-dev 2021-02-27 02:32:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d56cf5f52d56b74774c234512f9be1610cd2c11f

commit d56cf5f52d56b74774c234512f9be1610cd2c11f
Author:     Patrick McLean <patrick.mclean@sony.com>
AuthorDate: 2021-02-27 02:31:38 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2021-02-27 02:32:32 +0000

    app-admin/salt-3000.8: Version bump for sec bug #767919
    
    Bug: https://bugs.gentoo.org/767919
    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 app-admin/salt/Manifest                      |   1 +
 app-admin/salt/files/salt-3000.8-tests.patch |   0
 app-admin/salt/salt-3000.8.ebuild            | 203 +++++++++++++++++++++++++++
 3 files changed, 204 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3231439b24ee57a2641fedda919b60c7c3df91a

commit e3231439b24ee57a2641fedda919b60c7c3df91a
Author:     Patrick McLean <patrick.mclean@sony.com>
AuthorDate: 2021-02-27 00:29:01 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2021-02-27 02:32:32 +0000

    app-admin/salt-3001.6: Version bump (sec bug #767919)
    
    Bug: https://bugs.gentoo.org/767919
    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 app-admin/salt/Manifest                      |   1 +
 app-admin/salt/files/salt-3001.6-tests.patch |  18 +++
 app-admin/salt/salt-3000.6.ebuild            |   7 +-
 app-admin/salt/salt-3001.6.ebuild            | 187 +++++++++++++++++++++++++++
 4 files changed, 210 insertions(+), 3 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab17e261731e37aa084815c3e1081d7a1bdebf3e

commit ab17e261731e37aa084815c3e1081d7a1bdebf3e
Author:     Patrick McLean <patrick.mclean@sony.com>
AuthorDate: 2021-02-26 23:48:17 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2021-02-27 02:32:32 +0000

    app-admin/salt-3002.5: Version bump (sec bug #767919)
    
    Bug: https://bugs.gentoo.org/767919
    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 app-admin/salt/Manifest                      |   1 +
 app-admin/salt/files/salt-3002.5-tests.patch |  30 +++++
 app-admin/salt/salt-3002.5.ebuild            | 187 +++++++++++++++++++++++++++
 3 files changed, 218 insertions(+)
Comment 2 John Helmert III gentoo-dev Security 2021-02-27 02:51:46 UTC
Thanks! Please stabilize when ready.

CVE-2021-3197

    Impact: the SaltAPI with the SSH module installed and running on the minion. This module is not running by default.
    Description: The Salt-API’s SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.

CVE-2021-25281

    Impact: The SaltAPI does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
    Description: The Salt-API does not have eAuth credentials for the wheel_async client

CVE-2021-25282

    Impact: Unauthorized access wheel_async through salt-api can execute arbitrarily code/command.
    Description: The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.

CVE-2021-25283

    Impact: Via the SaltAPI fix directory traversal in wheel.pillar_roots.write
    Description: The jinja renderer does not protect against server-side template injection attacks.

CVE-2021-25284

    Impact: Run a highstate against a machine which doesn’t already have the htpasswd file created and errors are reported but the state is applied, correctly. This issue is not present in a default configuration of Salt.
    Description: webutils write passwords in cleartext to /var/log/salt/minion

CVE-2021-3148

    Impact: Via the SaltAPI a command is constructed from formatted string and can be truncated if there are single quotes in extra_mods, since json.dumps() escapes double quotes while leaving the single quotes untouched.
    Description: command injection in salt.utils.thin.gen_thin()

CVE-2020-35662

    Impact: SSL cert not verified by default
    Description: Several places where Salt was not verifying the SSL cert by default

CVE-2021-3144

    Impact: eauth tokens can be used once after expiration
    Description: Token can be used once after expiration

CVE-2020-28972

    Impact: Code base not validating SSL/TLS certificate of the server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack
    Description: Missing validation on SSL cert

CVE-2020-28243

    Impact: A privilege escalation is possible on a SaltStack minion when an unprivileged user is able to create files in any non-blacklisted directory via a command injection in a process name.
    Description: Local Privilege Escalation in the Minion
Comment 3 Sam James archtester gentoo-dev Security 2021-03-24 07:15:00 UTC
Let's roll?
Comment 4 Agostino Sarubbo gentoo-dev 2021-03-26 15:13:30 UTC
amd64 stable
Comment 5 Sam James archtester gentoo-dev Security 2021-03-26 18:36:06 UTC
x86 done

all arches done
Comment 6 John Helmert III gentoo-dev Security 2021-03-26 19:17:12 UTC
Please cleanup
Comment 7 Thomas Deutschmann gentoo-dev Security 2021-03-31 11:41:33 UTC
New GLSA request filed.
Comment 8 Larry the Git Cow gentoo-dev 2021-03-31 11:43:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a31909a9b4c2ac85ba6d1bd4f8b605f3594a560c

commit a31909a9b4c2ac85ba6d1bd4f8b605f3594a560c
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-03-31 11:42:58 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-03-31 11:43:07 +0000

    app-admin/salt: security cleanup
    
    Bug: https://bugs.gentoo.org/767919
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-admin/salt/Manifest           |   1 -
 app-admin/salt/salt-3000.5.ebuild | 193 --------------------------------------
 2 files changed, 194 deletions(-)