openSUSE 15 Security Update : salt (openSUSE-SU-2021:0899-1)

critical Nessus Plugin ID 151062

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:0899-1 advisory.

- Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server. (CVE-2018-15750)

- SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi). (CVE-2018-15751)

- An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. (CVE-2020-11651)

- An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. (CVE-2020-11652)

- In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH. (CVE-2020-25592)

- A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.
(CVE-2021-25315)

- In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely). (CVE-2021-31607)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1171257

https://bugzilla.suse.com/1176293

https://bugzilla.suse.com/1179831

https://bugzilla.suse.com/1181368

https://bugzilla.suse.com/1182281

https://bugzilla.suse.com/1182293

https://bugzilla.suse.com/1182382

https://bugzilla.suse.com/1185092

https://bugzilla.suse.com/1185281

https://bugzilla.suse.com/1186674

http://www.nessus.org/u?d1637da9

https://www.suse.com/security/cve/CVE-2018-15750

https://www.suse.com/security/cve/CVE-2018-15751

https://www.suse.com/security/cve/CVE-2020-11651

https://www.suse.com/security/cve/CVE-2020-11652

https://www.suse.com/security/cve/CVE-2020-25592

https://www.suse.com/security/cve/CVE-2021-25315

https://www.suse.com/security/cve/CVE-2021-31607

Plugin Details

Severity: Critical

ID: 151062

File Name: openSUSE-2021-899.nasl

Version: 1.11

Type: local

Agent: unix

Published: 6/28/2021

Updated: 4/25/2023

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-25592

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:salt-transactional-update, p-cpe:/a:novell:opensuse:salt-minion, p-cpe:/a:novell:opensuse:salt-syndic, p-cpe:/a:novell:opensuse:salt-cloud, p-cpe:/a:novell:opensuse:salt-fish-completion, p-cpe:/a:novell:opensuse:salt-ssh, cpe:/o:novell:opensuse:15.2, p-cpe:/a:novell:opensuse:salt-zsh-completion, p-cpe:/a:novell:opensuse:salt-master, p-cpe:/a:novell:opensuse:python3-salt, p-cpe:/a:novell:opensuse:salt-bash-completion, p-cpe:/a:novell:opensuse:salt-standalone-formulas-configuration, p-cpe:/a:novell:opensuse:salt, p-cpe:/a:novell:opensuse:salt-proxy, p-cpe:/a:novell:opensuse:salt-api

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/23/2021

Vulnerability Publication Date: 10/24/2018

CISA Known Exploited Vulnerability Due Dates: 5/3/2022

Exploitable With

CANVAS (CANVAS)

Metasploit (SaltStack Salt REST API Arbitrary Command Execution)

Reference Information

CVE: CVE-2018-15750, CVE-2018-15751, CVE-2020-11651, CVE-2020-11652, CVE-2020-25592, CVE-2021-25315, CVE-2021-31607

IAVA: 2020-A-0195-S, 2021-A-0524-S