SaltStack fixes major vulnerabilities disclosed for 5 months

2020/11/1417:48:04 technology 1097

, which was acquired by VMware in mid-October of SaltStack, first announced on October 30 that they will launch a patch for the open source infrastructure automation management system Salt on November 3 of the US presidential election day to prevent possible risks. Large-scale attack. On the same day, the company also launched as scheduled, patching a total of 3 vulnerabilities, 2 of which have a major level of risk. However, some of the vulnerabilities have been disclosed in June of this year by the Zero Day Initiative (ZDI), a trend vulnerability reward program, and companies should install the update program as soon as possible. The

infrastructure automation management system was also found vulnerabilities in the first half of this year. For example, Cisco previously disclosed that its products using this system were affected by its vulnerabilities and had attack operations.

The three vulnerabilities patched by SaltStack this time are CVE-2020-16846, CVE-2020-25592, and CVE-2020-17490. These vulnerabilities affect versions 3000.4, 3001.2, and 3002. In terms of severity, CVE-2020-16846 and CVE-2020-25592 related to Salt’s API are both at a major level. Once hackers abuse them, the former can launch Shell Injection attacks, while the latter can Bypass the authentication mechanism; only CVE-2020-17490 related to the TLS module encryption key access authority, the impact is relatively minor.

It is worth noting that the time point when the above-mentioned vulnerabilities were discovered has been more than 5 months. For example, CVE-2020-16846 was notified to ZDI in June and was numbered ZDI-CAN-11143. In fact, these vulnerabilities appeared in the patch code on the GitHub project in late August and September respectively. In its announcement on November 3, SaltStack also specifically mentioned that two of the vulnerabilities were reported through ZDI, and the ID of the person who discovered these vulnerabilities was KPC.

We searched through the Internet of Things search engine, and now there are 6,153 Salt Master nodes exposed to the Internet. Once the administrator does not fix the above vulnerabilities, it is likely to face the risk of hackers abusing the vulnerabilities. Although SaltStack has announced that it will patch the loopholes in advance, the choice of launching the patch on the day of the US presidential election may be subject to confirmation.

technology

The Internet is a big stage, and since it is a stage, there must be actors. Before, everyone was in the era of pan-entertainment, chasing various celebrity news and private lives. At present, the domestic Internet has formed Gemini stars. They are not technology developers, but o

Internet Gemini: Beat the edge drum Hu Xijin, beat the drum Sima Nan

04/28 1993

As the facade of domestic technology, Huawei, which started with communications, not only stood out in the 5G field, but even the "side business" of smartphones, Huawei has reached its top level. Its sales once surpassed Apple and showed its potential to become the world's larges

Can't hold on at first? "Fruit Chain" invites seven Chinese companies to join the market in succession, and the central media's call should be taken seriously

04/28 1977