Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 753266 (CVE-2020-16846, CVE-2020-17490, CVE-2020-25592) - <app-admin/salt-3000.5: Multiple vulnerabilities (CVE-2020-{16846,17490,25592})
Summary: <app-admin/salt-3000.5: Multiple vulnerabilities (CVE-2020-{16846,17490,25592})
Status: CONFIRMED
Alias: CVE-2020-16846, CVE-2020-17490, CVE-2020-25592
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://www.saltstack.com/blog/on-nov...
Whiteboard: B1 [glsa+ cleanup cve]
Keywords: CC-ARCHES
Depends on:
Blocks:
 
Reported: 2020-11-06 01:27 UTC by Sam James
Modified: 2020-11-11 03:53 UTC (History)
1 user (show)

See Also:
Package list:
app-admin/salt-3000.5
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-11-06 01:27:51 UTC
CVE-2020-16846: 

    Impact: This CVE affects any users running the Salt API. An unauthenticated user with network access to the Salt API can use shell injections to run code on the Salt-API using the SSH client.
    Description: A user could use shell injections with the Salt API using the SSH Client.  
    Solution: Prevent shell injections in netapi SSH client
    How to Mitigate: Install the CVE fix and ensure your Salt-API has been restarted
    Severity Rating: TBD: Assessed as likely going to be a High or Critical

CVE-2020-17490: 

    Impact: This CVE affects any Minions or Masters that previously used the create_ca, create_csr, and create_self_signed_cert functions in the TLS module.
    Description: When using the functions create_ca, create_csr, and create_self_signed_cert in the tls execution module, it would not ensure the key was created with the correct permissions. With the CVE fix, the keys are no longer created with world-readable permissions and use 600.
    Solution: Prevent creating world-readable private keys with the tls execution module.
    How to mitigate: Users will need to check to ensure 600 permissions are applied to any keys that were previously created by the TLS execution module. Going forward, if the CVE fix is applied while using the tls module, the created keys will have the correct permissions.
    Severity Rating: TBD: Assessed as likely going to be a Low

CVE-2020-25592: 

    Impact: Affects users running the Salt API. Salt-netapi improperly validates eauth credentials and tokens.
    Description: Properly validate eauth credentials and tokens along with their Access Control Lists – ACLs. Prior to this change, eauth was not properly validated when calling Salt SSH via the salt-api. Any value for “eauth” or “token” would allow a user to bypass authentication and make calls to Salt SSH.  
    Solution: When using the SSH client, an unauthenticated user can gain access to run commands against targets set in an Salt-SSH roster.
    How to Mitigate: Install the patch provided below and restart your Salt-API 
    Severity Rating: TBD. Expected to be a High or Critical
Comment 1 Sam James archtester gentoo-dev Security 2020-11-06 15:29:02 UTC
amd64 done
Comment 2 Sam James archtester gentoo-dev Security 2020-11-10 00:01:13 UTC
x86 done

all arches done
Comment 3 Sam James archtester gentoo-dev Security 2020-11-10 00:01:27 UTC
Please cleanup, thanks!
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-11-11 03:50:05 UTC
This issue was resolved and addressed in
 GLSA 202011-13 at https://security.gentoo.org/glsa/202011-13
by GLSA coordinator Sam James (sam_c).
Comment 5 Sam James archtester gentoo-dev Security 2020-11-11 03:53:01 UTC
Reopened for cleanup.