Have you updated SaltStack Salt? Attacks are underway!

Have you updated your SaltStack Salt “masters” and made them inaccessible over the internet – or at least restricted access to them?

Even though F-Secure researchers declined to publish PoC exploit code for two critical Salt flaws they recently discovered and privately disclosed, it didn’t take long for others to do it and for attackers to try to exploit them.

Successful exploitations

In the wake of the public revelation of the flaws affecting the popular server configuration management framework, attackers hit the LineageOS project, the Ghost blogging platform, DigiCert, as well as Xen Orchestra (a web-based management service for Xen hypervisors) and Algolia (an enterprise search and discovery provider).

The attacks were “noisy” (most installed cryptominers, but some also RATs) and were discovered and publicized quickly, making the number of vulnerable Salt installations exposed on the internet fall from nearly 6,000 to 3,722 in mere five days (May 1 to May 6).

Given the attention the attacks have garnered the number is surely even lower by now and, hopefully, organizations are also updating their internal-facing installations to prevent lateral exploitation and movement.

What to do?

SaltStack provided security updates for both supported (2019.2.3 and 3000.1) and earlier versions (2015.8.x, 2016.3.x, 2016.11.x, 2017.7.x and 2018.3.x) and advised admins to harden their installations further.

There are tools for checking whether installations are vulnerable. There’s also an ongoing thread on GitHub where admins of affected organizations are sharing details about their masters being breached through the flaws.

It’s also good to note that some other solutions might have Salt integrated and will require updates. An example of this is the VMware vRealize Operations Manager, for which VMware plans to release updates soon (in the meantime, workarounds have been made available).