Arch Linux alert ASA-201701-41 (salt)
| From: | Santiago Torres-Arias <santiago@archlinux.org> | |
| To: | Archlinux security <arch-security@archlinux.org> | |
| Subject: | [arch-security] [ASA-201701-41] salt: multiple issues | |
| Date: | Wed, 1 Feb 2017 10:50:13 -0500 | |
| Message-ID: | <20170201155013.mshybphx4j6vzdlx@riseup.net> |
Arch Linux Security Advisory ASA-201701-41 ========================================== Severity: High Date : 2017-01-31 CVE-ID : CVE-2017-5192 CVE-2017-5200 Package : salt Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-159 Summary ======= The package salt before version 2016.11.2-1 is vulnerable to multiple issues including arbitrary code execution and arbitrary command execution. Resolution ========== Upgrade to 2016.11.2-1. # pacman -Syu "salt>=2016.11.2-1" The problems have been fixed upstream in version 2016.11.2. Workaround ========== None. Description =========== - CVE-2017-5192 (arbitrary code execution) The `LocalClient.cmd_batch()` method client does not accept `external_auth` credentials and so access to it from salt-api has been removed for now. This vulnerability allows code execution for already- authenticated users and is only in effect when running salt-api as the `root` user. - CVE-2017-5200 (arbitrary command execution) Salt-api allows arbitrary command execution on a salt-master via Salt's ssh_client. Users of Salt-API and salt-ssh could execute a command on the salt master via a hole when both systems were enabled. Impact ====== A remote attacker is able to execute arbitrary commands on a salt master when salt is not configured properly. In addition, an authenticated attacker is able to execute arbitrary code on the salt stack if salt-api is run as root. References ========== https://groups.google.com/forum/#!msg/salt-announce/eP_kQ... https://docs.saltstack.com/en/latest/topics/releases/2016... https://security.archlinux.org/CVE-2017-5192 https://security.archlinux.org/CVE-2017-5200