SystemLink

cancel
Showing results for 
Search instead for 
Did you mean: 

RCE vulnerability in SaltStack - is SystemLink affected?

I just came across this recent advisory (https://labs.f-secure.com/advisories/saltstack-authorization-bypass) which describes two vulnerabilities in SaltStack that bypass authorization mechanisms. I cannot tell if SystemLink is affected by this and would like someone to clear this up.

0 Kudos
Message 1 of 6
(388 Views)
Highlighted

I'm not sure if SystemLink is affected or not, but we do not use the default ZeroMQ transport that was referenced in the CVE. We had some problems with the ZeroMQ transport initially, so we disable it in our install and we instead use one of their newer TCP Tornado transport.

 

In addition, we will update the version of Salt we are using in a future release which includes a patch for the issue.

0 Kudos
Message 2 of 6
(372 Views)
Highlighted

After looking at this some more I can confirm that SystemLink is affected. This is really easy to exploit. You should limit access to the server to known devices until this is patched.

There have been a number of compomised systems running salt masters on Linux servers, some had crypto miners installed.

Some links with more information:

https://github.com/saltstack/salt/issues/57057

https://github.com/rossengeorgiev/salt-security-backports

 

0 Kudos
Message 3 of 6
(292 Views)
Highlighted
0 Kudos
Message 4 of 6
(274 Views)
Highlighted
NI is working on a patch for both SystemLink Server 19.6 and 2020 R1.
Message 5 of 6
(201 Views)
Highlighted

Patches for SystemLink Server (19.6.3 and 2020 R1.1) and other products have been released.  Those updates are available in NI Package Manager or by downloading the installer.  See this link for details:

https://www.ni.com/en-us/support/documentation/supplemental/20/ni-security-update-for-salt.html

For previous versions of SystemLink Server, NI recommends upgrading to 19.6.3 or 2020 R1.1

0 Kudos
Message 6 of 6
(127 Views)