Bug 1020306 (CVE-2013-4435, CVE-2013-4436, CVE-2013-4437, CVE-2013-4438, CVE-2013-4439, CVE-2013-6617) - CVE-2013-4435 CVE-2013-4436 CVE-2013-4437 CVE-2013-4438 CVE-2013-4439 CVE-2013-6617 salt: saltstack multiple flaws
Summary: CVE-2013-4435 CVE-2013-4436 CVE-2013-4437 CVE-2013-4438 CVE-2013-4439 CVE-201...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-4435, CVE-2013-4436, CVE-2013-4437, CVE-2013-4438, CVE-2013-4439, CVE-2013-6617
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1020307 1020308
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-17 12:21 UTC by Ratul Gupta
Modified: 2021-02-17 07:14 UTC (History)
3 users (show)

Fixed In Version: salt 0.17.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-05 18:33:45 UTC
Embargoed:


Attachments (Terms of Use)

Description Ratul Gupta 2013-10-17 12:21:00 UTC
Saltstack, a client/server configuration system, was found to have allowed any minions to masquerade itself as any others agents when requesting stuff from the master, which could permit a compromised server to request data from another server, which could lead to potential information leak.

References:
http://seclists.org/oss-sec/2013/q4/85
https://github.com/saltstack/salt/pull/7356

Commit:
https://github.com/saltstack/salt/pull/7356/commits

Comment 1 Ratul Gupta 2013-10-17 12:22:13 UTC
Created salt tracking bugs for this issue:

Affects: fedora-all [bug 1020307]
Affects: epel-all [bug 1020308]

Comment 2 Fedora Update System 2013-10-27 03:53:22 UTC
salt-0.17.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 3 Fedora Update System 2013-10-27 05:32:10 UTC
salt-0.17.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2013-10-27 05:35:46 UTC
salt-0.17.1-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2013-11-02 21:01:20 UTC
salt-0.17.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2013-11-02 21:01:43 UTC
salt-0.17.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Vincent Danen 2013-11-05 18:33:45 UTC
A number of flaws were fixed in salt 0.17.1 (updates already pushed to Fedora and EPEL); noting the flaws and CVEs here for posterity.

Common Vulnerabilities and Exposures assigned CVE identifiers to the following vulnerabilities:

Name: CVE-2013-4435
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4435

Salt (aka SaltStack) 0.15.0 through 0.17.0 allows remote authenticated
users who are using external authentication or client ACL to execute
restricted routines by embedding the routine in another routine.


Name: CVE-2013-4436
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4436

The default configuration for salt-ssh in Salt (aka SaltStack) 0.17.0
does not validate the SSH host key of requests, which allows remote
attackers to have unspecified impact via a man-in-the-middle (MITM)
attack.


Name: CVE-2013-4437
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4437

Unspecified vulnerability in salt-ssh in Salt (aka SaltStack) 0.17.0
has unspecified impact and vectors related to "insecure Usage of
/tmp."


Name: CVE-2013-4438
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4438

Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute
arbitrary YAML code via unspecified vectors.  NOTE: the vendor states
that this might not be a vulnerability because the YAML to be loaded
has already been determined to be safe.


Name: CVE-2013-4439
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4439
Reference: https://github.com/saltstack/salt/pull/7356

Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote
authenticated minions to impersonate arbitrary minions via a crafted
minion with a valid key.


Name: CVE-2013-6617
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6617
The salt master in Salt (aka SaltStack) 0.11.0 through 0.17.0 does not
properly drop group privileges, which makes it easier for remote
attackers to gain privileges.


External References:

http://docs.saltstack.com/topics/releases/0.17.1.html


Note You need to log in before you can comment on or make changes to this bug.