04-30-2020 04:13 PM
I just came across this recent advisory (https://labs.f-secure.com/advisories/saltstack-authorization-bypass) which describes two vulnerabilities in SaltStack that bypass authorization mechanisms. I cannot tell if SystemLink is affected by this and would like someone to clear this up.
04-30-2020 05:11 PM - edited 04-30-2020 05:12 PM
I'm not sure if SystemLink is affected or not, but we do not use the default ZeroMQ transport that was referenced in the CVE. We had some problems with the ZeroMQ transport initially, so we disable it in our install and we instead use one of their newer TCP Tornado transport.
In addition, we will update the version of Salt we are using in a future release which includes a patch for the issue.
05-05-2020 05:54 AM
After looking at this some more I can confirm that SystemLink is affected. This is really easy to exploit. You should limit access to the server to known devices until this is patched.
There have been a number of compomised systems running salt masters on Linux servers, some had crypto miners installed.
Some links with more information:
https://github.com/saltstack/salt/issues/57057
https://github.com/rossengeorgiev/salt-security-backports
05-05-2020 09:14 AM
Link to the patch request form: https://www.saltstack.com/lp/request-patch-april-2020/
05-12-2020 02:59 PM
05-21-2020 02:09 PM
Patches for SystemLink Server (19.6.3 and 2020 R1.1) and other products have been released. Those updates are available in NI Package Manager or by downloading the installer. See this link for details:
https://www.ni.com/en-us/support/documentation/supplemental/20/ni-security-update-for-salt.html
For previous versions of SystemLink Server, NI recommends upgrading to 19.6.3 or 2020 R1.1