In the three days since a rash of attacks exploiting the critical SaltStack vulnerability emerged, a considerable number of the exposed, vulnerable servers have been patched, but there are still several thousand others online and open to attack.
On May 3 a number of organizations were hit with exploits that targeted the SaltStack Salt vulnerability (CVE-2020-11651), many of which resulted in a piece of cryptomining malware being installed on the compromised servers. The attacks took advantage of a flaw in the SaltStack Salt configuration management framework that allowed an unauthenticated user to pass requests to the master Salt server, which would then queue them for execution by the minions connected to it.
“The ClearFuncs class also exposes the method _prep_auth_info(), which returns the ‘root key’ used to authenticate commands from the local root user on the master server. This ‘root key’ can then be used to remotely call administrative commands on the master server. This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master,” the advisory from F-Secure Labs, which discovered the flaw, says.
On May 1, a day after the public disclosure of the vulnerability, researchers at Censys, which collects Internet-scale data on the attack surface, found nearly 6,000 vulnerable SaltStack instances online. On Tuesday, the company said 36 percent of those servers had been patched. That’s a significant decrease in the number of vulnerable servers, but it still leaves more than 3,700 unpatched. SaltStack has published patches for all of the affected versions and its team has encouraged customers to update as quickly as possible.
“We must reinforce how critical it is that all Salt users patch their systems and follow the guidance we have provided outlining steps for remediation and best practices for Salt environment security. It is equally important to upgrade to latest versions of the platform and register with support for future awareness of any possible issues and remediations,” said Alex Peay, senior vice president at SaltStack.
In the early hours of May 3, a series of attacks that has been tied to a coinmining botnet began to hit organizations that had not yet patched their SaltStack instances. Among the companies hit were Ghost, a content management platform provider, Xen Orchestra, which provides orchestration services for Xen servers, and the maintainers of LineageOS, a replacement operating system for Android devices. Another victim was Algolia, a French firm that provides custom search tools to enterprises. Like the others, Algolia was hit on May 3, around 3 A.M. local time, but in this case the attackers installed a backdoor along with the coinminer.
“We were able to quickly determine that our configuration manager had been the victim of an attack, propagating malware commands to a number of servers in our Europe clusters. Part of our infrastructure was now running not just our code,” Julien Lemoine, CTO of Algolia, said in a post mortem of the attack.
“We first started by shutting down the configuration manager involved in the incident across all of our infrastructure, keeping files for later forensic analysis. Then, we teamed up with our different providers, started rebooting all of the impacted servers one by one, and investigated their state. We identified that two malwares had been injected— one to mine crypto-currencies and another as a backdoor server. We started killing all malwares, restored files back to their original state, and then built a plan to reinstall all the impacted servers one by one.”