[arch-security] [ASA-201701-41] salt: multiple issues

Santiago Torres-Arias santiago at archlinux.org
Wed Feb 1 15:50:13 UTC 2017


Arch Linux Security Advisory ASA-201701-41
==========================================

Severity: High
Date    : 2017-01-31
CVE-ID  : CVE-2017-5192 CVE-2017-5200
Package : salt
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-159

Summary
=======

The package salt before version 2016.11.2-1 is vulnerable to multiple
issues including arbitrary code execution and arbitrary command
execution.

Resolution
==========

Upgrade to 2016.11.2-1.

# pacman -Syu "salt>=2016.11.2-1"

The problems have been fixed upstream in version 2016.11.2.

Workaround
==========

None.

Description
===========

- CVE-2017-5192 (arbitrary code execution)

The `LocalClient.cmd_batch()` method client does not accept
`external_auth` credentials and so access to it from salt-api has been
removed for now. This vulnerability allows code execution for already-
authenticated users and is only in effect when running salt-api as the
`root` user.

- CVE-2017-5200 (arbitrary command execution)

Salt-api allows arbitrary command execution on a salt-master via Salt's
ssh_client. Users of Salt-API and salt-ssh could execute a command on
the salt master via a hole when both systems were enabled.

Impact
======

A remote attacker is able to execute arbitrary commands on a salt
master when salt is not configured properly. In addition, an
authenticated attacker is able to execute arbitrary code on the salt
stack if salt-api is run as root.

References
==========

https://groups.google.com/forum/#!msg/salt-announce/eP_kQiQdnvo/6cvBrwsqCAAJ
https://docs.saltstack.com/en/latest/topics/releases/2016.11.2.html
https://security.archlinux.org/CVE-2017-5192
https://security.archlinux.org/CVE-2017-5200

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20170201/165d47f0/attachment.asc>


More information about the arch-security mailing list