Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 767919 (CVE-2020-28243, CVE-2020-28972, CVE-2020-35662, CVE-2021-25281, CVE-2021-25282, CVE-2021-25283, CVE-2021-25284, CVE-2021-3144, CVE-2021-3148, CVE-2021-3197) - <app-admin/salt-{3000.8,3001.6,3002.5}: Multiple vulnerabilities (CVE-2020-{28243,28972,35662}, CVE-2021-{3144,3148,3197,25281,25282,25283,25284})
Summary: <app-admin/salt-{3000.8,3001.6,3002.5}: Multiple vulnerabilities (CVE-2020-{2...
Status: RESOLVED FIXED
Alias: CVE-2020-28243, CVE-2020-28972, CVE-2020-35662, CVE-2021-25281, CVE-2021-25282, CVE-2021-25283, CVE-2021-25284, CVE-2021-3144, CVE-2021-3148, CVE-2021-3197
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-30 05:51 UTC by Sam James
Modified: 2023-10-31 11:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-30 05:51:28 UTC
Details not yet published: https://saltproject.io/active-saltstack-cve-announced-2021-jan-21/.

"Most of these, we expect the Common Vulnerability Scoring System (CVSS) rating to be high or critical. We quickly took actions to remediate once made aware of the vulnerabilities.

We are preparing a CVE release to be generally available on Thursday, February 4th around Noon MST. The CVE packages will be available for 3002.3, 3001.5, and 3000.7 and patches for older versions."
Comment 1 Larry the Git Cow gentoo-dev 2021-02-27 02:32:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d56cf5f52d56b74774c234512f9be1610cd2c11f

commit d56cf5f52d56b74774c234512f9be1610cd2c11f
Author:     Patrick McLean <patrick.mclean@sony.com>
AuthorDate: 2021-02-27 02:31:38 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2021-02-27 02:32:32 +0000

    app-admin/salt-3000.8: Version bump for sec bug #767919
    
    Bug: https://bugs.gentoo.org/767919
    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 app-admin/salt/Manifest                      |   1 +
 app-admin/salt/files/salt-3000.8-tests.patch |   0
 app-admin/salt/salt-3000.8.ebuild            | 203 +++++++++++++++++++++++++++
 3 files changed, 204 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3231439b24ee57a2641fedda919b60c7c3df91a

commit e3231439b24ee57a2641fedda919b60c7c3df91a
Author:     Patrick McLean <patrick.mclean@sony.com>
AuthorDate: 2021-02-27 00:29:01 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2021-02-27 02:32:32 +0000

    app-admin/salt-3001.6: Version bump (sec bug #767919)
    
    Bug: https://bugs.gentoo.org/767919
    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 app-admin/salt/Manifest                      |   1 +
 app-admin/salt/files/salt-3001.6-tests.patch |  18 +++
 app-admin/salt/salt-3000.6.ebuild            |   7 +-
 app-admin/salt/salt-3001.6.ebuild            | 187 +++++++++++++++++++++++++++
 4 files changed, 210 insertions(+), 3 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab17e261731e37aa084815c3e1081d7a1bdebf3e

commit ab17e261731e37aa084815c3e1081d7a1bdebf3e
Author:     Patrick McLean <patrick.mclean@sony.com>
AuthorDate: 2021-02-26 23:48:17 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2021-02-27 02:32:32 +0000

    app-admin/salt-3002.5: Version bump (sec bug #767919)
    
    Bug: https://bugs.gentoo.org/767919
    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 app-admin/salt/Manifest                      |   1 +
 app-admin/salt/files/salt-3002.5-tests.patch |  30 +++++
 app-admin/salt/salt-3002.5.ebuild            | 187 +++++++++++++++++++++++++++
 3 files changed, 218 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-27 02:51:46 UTC
Thanks! Please stabilize when ready.

CVE-2021-3197

    Impact: the SaltAPI with the SSH module installed and running on the minion. This module is not running by default.
    Description: The Salt-API’s SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.

CVE-2021-25281

    Impact: The SaltAPI does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
    Description: The Salt-API does not have eAuth credentials for the wheel_async client

CVE-2021-25282

    Impact: Unauthorized access wheel_async through salt-api can execute arbitrarily code/command.
    Description: The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.

CVE-2021-25283

    Impact: Via the SaltAPI fix directory traversal in wheel.pillar_roots.write
    Description: The jinja renderer does not protect against server-side template injection attacks.

CVE-2021-25284

    Impact: Run a highstate against a machine which doesn’t already have the htpasswd file created and errors are reported but the state is applied, correctly. This issue is not present in a default configuration of Salt.
    Description: webutils write passwords in cleartext to /var/log/salt/minion

CVE-2021-3148

    Impact: Via the SaltAPI a command is constructed from formatted string and can be truncated if there are single quotes in extra_mods, since json.dumps() escapes double quotes while leaving the single quotes untouched.
    Description: command injection in salt.utils.thin.gen_thin()

CVE-2020-35662

    Impact: SSL cert not verified by default
    Description: Several places where Salt was not verifying the SSL cert by default

CVE-2021-3144

    Impact: eauth tokens can be used once after expiration
    Description: Token can be used once after expiration

CVE-2020-28972

    Impact: Code base not validating SSL/TLS certificate of the server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack
    Description: Missing validation on SSL cert

CVE-2020-28243

    Impact: A privilege escalation is possible on a SaltStack minion when an unprivileged user is able to create files in any non-blacklisted directory via a command injection in a process name.
    Description: Local Privilege Escalation in the Minion
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-24 07:15:00 UTC
Let's roll?
Comment 4 Agostino Sarubbo gentoo-dev 2021-03-26 15:13:30 UTC
amd64 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-26 18:36:06 UTC
x86 done

all arches done
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-26 19:17:12 UTC
Please cleanup
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2021-03-31 11:41:33 UTC
New GLSA request filed.
Comment 8 Larry the Git Cow gentoo-dev 2021-03-31 11:43:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a31909a9b4c2ac85ba6d1bd4f8b605f3594a560c

commit a31909a9b4c2ac85ba6d1bd4f8b605f3594a560c
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-03-31 11:42:58 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-03-31 11:43:07 +0000

    app-admin/salt: security cleanup
    
    Bug: https://bugs.gentoo.org/767919
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-admin/salt/Manifest           |   1 -
 app-admin/salt/salt-3000.5.ebuild | 193 --------------------------------------
 2 files changed, 194 deletions(-)
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-25 01:01:59 UTC
GLSA request filed.
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:24:18 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:32:46 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 17:40:38 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 17:48:49 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-07-29 18:04:44 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2021-07-29 18:13:02 UTC
Package list is empty or all packages have requested keywords.
Comment 16 Larry the Git Cow gentoo-dev 2023-10-31 11:57:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=a4ba9f2fb65b65e29f00afe38eed9d10ac01301d

commit a4ba9f2fb65b65e29f00afe38eed9d10ac01301d
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-10-31 11:57:07 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-10-31 11:57:38 +0000

    [ GLSA 202310-22 ] Salt: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/767919
    Bug: https://bugs.gentoo.org/812440
    Bug: https://bugs.gentoo.org/836365
    Bug: https://bugs.gentoo.org/855962
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202310-22.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)