Bug 1020306 - (CVE-2013-4435, CVE-2013-4436, CVE-2013-4437, CVE-2013-4438, CVE-2013-4439, CVE-2013-6617) CVE-2013-4435 CVE-2013-4436 CVE-2013-4437 CVE-2013-4438 CVE-2013-4439 CVE-2013-6617 salt: saltstack multiple flaws
CVE-2013-4435 CVE-2013-4436 CVE-2013-4437 CVE-2013-4438 CVE-2013-4439 CVE-201...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20130919,reported=2...
: Security
Depends On: 1020307 1020308
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-17 08:21 EDT by Ratul Gupta
Modified: 2015-07-31 03:11 EDT (History)
3 users (show)

See Also:
Fixed In Version: salt 0.17.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-05 13:33:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Ratul Gupta 2013-10-17 08:21:00 EDT
Saltstack, a client/server configuration system, was found to have allowed any minions to masquerade itself as any others agents when requesting stuff from the master, which could permit a compromised server to request data from another server, which could lead to potential information leak.

References:
http://seclists.org/oss-sec/2013/q4/85
https://github.com/saltstack/salt/pull/7356

Commit:
https://github.com/saltstack/salt/pull/7356/commits
Comment 1 Ratul Gupta 2013-10-17 08:22:13 EDT
Created salt tracking bugs for this issue:

Affects: fedora-all [bug 1020307]
Affects: epel-all [bug 1020308]
Comment 2 Fedora Update System 2013-10-26 23:53:22 EDT
salt-0.17.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2013-10-27 01:32:10 EDT
salt-0.17.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2013-10-27 01:35:46 EDT
salt-0.17.1-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-11-02 17:01:20 EDT
salt-0.17.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-11-02 17:01:43 EDT
salt-0.17.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Vincent Danen 2013-11-05 13:33:45 EST
A number of flaws were fixed in salt 0.17.1 (updates already pushed to Fedora and EPEL); noting the flaws and CVEs here for posterity.

Common Vulnerabilities and Exposures assigned CVE identifiers to the following vulnerabilities:

Name: CVE-2013-4435
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4435

Salt (aka SaltStack) 0.15.0 through 0.17.0 allows remote authenticated
users who are using external authentication or client ACL to execute
restricted routines by embedding the routine in another routine.


Name: CVE-2013-4436
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4436

The default configuration for salt-ssh in Salt (aka SaltStack) 0.17.0
does not validate the SSH host key of requests, which allows remote
attackers to have unspecified impact via a man-in-the-middle (MITM)
attack.


Name: CVE-2013-4437
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4437

Unspecified vulnerability in salt-ssh in Salt (aka SaltStack) 0.17.0
has unspecified impact and vectors related to "insecure Usage of
/tmp."


Name: CVE-2013-4438
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4438

Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute
arbitrary YAML code via unspecified vectors.  NOTE: the vendor states
that this might not be a vulnerability because the YAML to be loaded
has already been determined to be safe.


Name: CVE-2013-4439
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4439
Reference: https://github.com/saltstack/salt/pull/7356

Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote
authenticated minions to impersonate arbitrary minions via a crafted
minion with a valid key.


Name: CVE-2013-6617
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6617
The salt master in Salt (aka SaltStack) 0.11.0 through 0.17.0 does not
properly drop group privileges, which makes it easier for remote
attackers to gain privileges.


External References:

http://docs.saltstack.com/topics/releases/0.17.1.html

Note You need to log in before you can comment on or make changes to this bug.