Researchers have identified a template injection technique against the open source SaltStack IT configuration and orchestration platform, as well as common misconfiguration issues, which could allow attackers to gain over organization’s network.
Salt is open source software for automating networking and security functions based on events and specific configurations, similar to Puppet or Ansible. Written in Python, it is widely used in network administration and security. However, common misconfigurations and security issues in SaltStack, an implementation of Salt, would allow an attacker to execute remote code, achieve presence on and control over a management network, and infiltrate other systems connected to the initially compromised system, Alex Hill, an offensive security specialist at boutique cybersecurity firm Skylight Cyber, wrote in a a blog post. The research team identified a series of three simple management configurations and a “bonus injection” method that allowed them to achieve command execution across the target environment to run arbitrary code and even pivot to customer environments.
“Misconfigured Salt implementations are a high-value target that, if compromised, are likely to lead pretty rapidly to a much broader worst case level of network compromise and should hardened commensurately,” Hill tells Dark Reading.
Template Injection for Customer Access
At its core, Salt provides automated infrastructure management that’s focused on applying and maintaining state on devices; if a device on the network has an active state misaligned to the configured state, the platform tries to reapply previously defined configuration settings. That could mean custom scripts to push up-to-date configuration files for triggering a build pipeline to bring up fresh containers, Hill wrote.
Salt also manages devices via software agents — known as “minions” — that report to centralized master-controller devices.
The researchers discovered a Jinja template injection vulnerability in Salt that — while not new in and of itself — is novel in terms of its potential for exploit in the IT management space, Hill tells Dark Reading. The flaw can result in command execution that allows for attackers to run arbitrary code not only on the master device and its minions but also on customer environments. The team was able to trick the salt-master into issuing instructions to another victim minion running as root, basically allowing them to do whatever they wanted to it and opening the door to a host of nefarious activity by a potential attacker.
Common Salt Misconfigurations
Hill identified three “dead simple misconfigurations” that can easily take down an environment: automatic minion enrollment, secrets stored in files, and exposure of the pillar system’s secret files.
Salt has an automatic enrollment feature to automate and streamline the provisioning of new customer infrastructure — such as engineer laptops or servers for new sites — but it also can allow rogue devices onto the network, Hill says. An attacker could spin up a system, install a minion, and auto-enroll the system onto the master controller — at which point, the attacker could issue in-built commands, read local files, and even explore the template injection method.
Secrets are exposed with Salt because the framework expects minions to be able to pull down any required files from the file_roots directories when it tries to reset the device’s state. All secrets, including passwords to the master device are exposed because they are in cleartext on the salt-master in web_user.sls.
An attacker that controls a minion in the environment can also access the password and thus compromise the entire system, the Skylight researchers said.
Relatedly, having the pillar directory inside an accessible directory means that all minions — even ones that were not legitimately enrolled by the administrator — are able to see the contents of the Salt secrets directory.
How to Secure Salt
Hill included in the blog post what he calls a “cheat sheet” for organizations when deploying Salt to ensure they don’t fall prey to making the common misconfiguration errors or create an environment that allows attackers to exploit the Jinja template injection vulnerability.
“Enterprises using SaltStack internally should be looking at how their implementation is configured and whether they have any of the highlighted issues currently,” he says.
Organizations should overall adopt a security attitude of “trust no one” — in this case, the “no one” meaning “no minions.”
“Assume all minions are rogue” as well as “compromised and not to be trusted,” Hill advised in his post.