Infrastructure automation software company SaltStack, owned by VMWare, urged enterprise data centers to patch three vulnerabilities, two of which are deemed critical, in Salt versions 3002 and earlier. The patches were released about three months after the vulnerabilities were first disclosed on GitHub.
CVE-2020-16846, a shell injection flaw discovered by the Trend Micro Zero Day Initiative and that lets an “unauthenticated user with network access to the Salt API [to] use shell injections to run code on the Salt-API using the SSH client,” received a high/critical rating. So did CVE-2020-25592, a authentication bypass vulnerability in which “Salt-netapi improperly validates eauth credentials and tokens,” according to a SaltStack advisory.
The third flaw, CVE-2020-17490, which SaltStack said “affects any Minions or Masters that previously used the create_ca, create_csr, and create_self_signed_cert functions in the TLS module,” received a low rating.
“Security teams today spend far more time focused on active attacks than on assessing their own code for security gaps, and that means that API vulnerabilities are going undetected for far too long, creating opportunities for malicious actors to access data and systems,” said Jason Kent, hacker in residence at Cequence Security, suggesting companies must gain runtime visibility into their API environments to keep vulnerabilities like weak authentication and access control out of production.