Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1884.2
SaltStack FrameWork Vulnerabilities Affecting Cisco Products
18 June 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Modeling Labs Corporate Edition
Cisco Virtual Internet Routing Lab Personal Edition
Cisco TelePresence IX5000 Series
Publisher: Cisco Systems
Operating System: Cisco
Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-11652 CVE-2020-11651
Reference: ESB-2020.1756
ESB-2020.1640
ESB-2020.1607.2
ESB-2020.1547
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG
Comment: Cisco has marked this as of priority Critical.
Revision History: June 18 2020: Cisco added another vulnerable product
May 29 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
SaltStack FrameWork Vulnerabilities Affecting Cisco Products
Priority: Critical
Advisory ID: cisco-sa-salt-2vx545AG
First Published: 2020 May 28 16:00 GMT
Last Updated: 2020 June 16 15:17 GMT
Version 2.0: Final
Workarounds: YesCisco Bug IDs: CSCvu33581CSCvu43116
CVE-2020-11651
CVE-2020-11652
CWE-20
Summary
o On April 29, 2020, the Salt Open Core team notified their community
regarding the following two CVE-IDs:
CVE-2020-11651: Authentication Bypass Vulnerability
CVE-2020-11652: Directory Traversal Vulnerability
Cisco Modeling Labs Corporate Edition (CML), Cisco TelePresence IX5000
Series, and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE)
incorporate a version of SaltStack that is running the salt-master service
that is affected by these vulnerabilities.
Cisco has released software updates that address these vulnerabilities.
There are workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-salt-2vx545AG
Affected Products
o Vulnerable Products
These vulnerabilities affect the following Cisco products if they are
running a vulnerable software release:
Modeling Labs Corporate Edition (CML)
TelePresence IX5000 Series
Virtual Internet Routing Lab Personal Edition (VIRL-PE)
Cisco CML and Cisco VIRL-PE
Cisco CML and Cisco VIRL-PE can be deployed either in standalone or cluster
configurations. The vulnerabilities will impact each deployment
differently. For impact information and recommended actions, see the table
in the Details section of this advisory.
Note: Cisco infrastructure maintains the salt-master servers that are used
with Cisco VIRL-PE. Those servers were upgraded on May 7, 2020. Cisco
identified that the Cisco maintained salt-master servers that are servicing
Cisco VIRL-PE releases 1.2 and 1.3 were compromised. The servers were
remediated on May 7, 2020. The following servers were compromised:
us-1.virl.info
us-2.virl.info
us-3.virl.info
us-4.virl.info
vsm-us-1.virl.info
vsm-us-2.virl.info
Cisco VIRL-PE connects back to Cisco maintained Salt Servers that are
running the salt-master service. These servers are configured to
communicate with a different Cisco salt-master server, depending on which
release of Cisco VIRL-PE software is running. Administrators can check the
configured Cisco salt-master server by navigating to VIRL Server > Salt
Configuration and Status .
Cisco CML does not connect back to any Cisco maintained Salt Servers.
Cisco TelePresence IX5000 Series
Salt services are enabled by default on Cisco TelePresence IX5000 Series.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Details
o Cisco CML and Cisco VIRL-PE
For information about Cisco CML and Cisco VIRL-PE, see Cisco Modeling Labs
.
For Cisco CML and Cisco VIRL-PE software releases 1.5 and 1.6, if the
salt-master service is enabled, the exploitability of the product depends
on how the product has been deployed. To be exploited, the salt-master
service must be reachable on TCP ports 4505 and 4506. For any installation
that is found with salt-master service running, Cisco would recommend
either inspecting the machine for compromise or doing a re-image of the
machine and installing the latest version of Cisco CML or Cisco VIRL-PE.
To check the status of the salt-master service on the installation of Cisco
CML and Cisco VIRL-PE, log in to the device and execute the command sudo
systemctl status salt-master. If the salt-master service is active, as
indicated by Active: active (running), the device is vulnerable and Cisco
recommends following the actions listed in the table below.
The following example shows a device where the salt-master service is
enabled:
virl@virl:~$ sudo systemctl status salt-master
salt-master.service - The Salt Master Server
Loaded: loaded (/lib/systemd/system/salt-master.service; disabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/salt-master.service.d
+-override.conf
Active: active (running) since Thu 2020-05-28 17:55:10 GMT; 1s ago
Docs: man:salt-master(1)
file:///usr/share/doc/salt/html/contents.html
https://docs.saltstack.com/en/latest/contents.html
Main PID: 20662 (/usr/bin/python)
Tasks: 16
Memory: 217.9M
CPU: 7.870s
CGroup: /system.slice/salt-master.service
+-20662 /usr/bin/python /usr/bin/salt-master ProcessManage
+-20789 /usr/bin/python /usr/bin/salt-master MultiprocessingLoggingQueu
+-20793 /usr/bin/python /usr/bin/salt-master ZeroMQPubServerChanne
+-20794 /usr/bin/python /usr/bin/salt-master EventPublishe
+-20797 /usr/bin/python /usr/bin/salt-master Maintenanc
+-20798 /usr/bin/python /usr/bin/salt-master ReqServer_ProcessManage
+-20799 /usr/bin/python /usr/bin/salt-master MWorkerQueu
+-20804 /usr/bin/python /usr/bin/salt-master MWorker-
+-20805 /usr/bin/python /usr/bin/salt-master MWorker-
+-20806 /usr/bin/python /usr/bin/salt-master MWorker-May 28 17:55:08 virl systemd[1]: Starting The Salt Master Server...
May 28 17:55:10 virl systemd[1]: Started The Salt Master Server.
virl@virl:~$
The following example shows a device where the salt-master service is not
enabled:
virl@virl:~$ sudo systemctl status salt-master
salt-master.service - The Salt Master Server
Loaded: loaded (/lib/systemd/system/salt-master.service; disabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/salt-master.service.d
+-override.conf
Active: inactive (dead)
Docs: man:salt-master(1)
file:///usr/share/doc/salt/html/contents.html
https://docs.saltstack.com/en/latest/contents.html
The following table lists the impact and recommended action for each
deployment option for each Cisco software release.
Cisco Deployment Recommended Action
CML and Option
VIRL-PE Impact
Software
Release
2.0 Standalone Not affected. Does not run None.
Salt services.
2.0 Cluster Not affected. Not currently None.
Mode supported.
Check the status of the
salt-master service using
For customers who performed the sudo systemctl status
a fresh install, there is salt-master command. If the
no impact. An install runs salt-master service is
the salt-minion process running, do one of the
only when required; it does following:
1.6 Standalone not run a salt-master
service. o Upgrade to a patched
release, which will
For customers who upgraded disable the salt-master
from Release 1.5, a service. ^1
salt-master service is o Disable the salt-master
running. service using the
workaround.
Check the status of the
salt-master service using
For customers who performed the sudo systemctl status
a fresh install, there is salt-master command. If the
no impact. The controller salt-master service is
runs SaltStack Master and running, do one of the
communicates with compute following:
1.6 Cluster nodes - SaltStack bound
Mode only to private network. o Upgrade to patched
release, which will
For customers who upgraded disable the salt-master
from 1.5, a salt-master service on all
service is running. interfaces except the
internal (INT) network.
^1
Check the status of the
salt-master service using
the sudo systemctl status
Salt-minion service salt-master command. If the
running. salt-master service is
running, do one of the
Salt-master service running following:
1.5 Standalone (bound to all interfaces).
o Upgrade to a patched
Note: Salt services are not release, which will
running on CML. disable the salt-master
service. ^1
o Disable the salt-master
service using the
workaround.
Salt-minion service Upgrade to patched release,
running. which will disable the
1.5 Cluster salt-master service on all
Mode Salt-master service running interfaces except the
(bound to all interfaces). internal (INT) network. ^1
CML
Do one of the following:
o Upgrade to a patched
release, which will
Salt-minion service disable the salt-master
running. service. ^1
1.3 Standalone o Disable the salt-master
Salt-master service running service using the
(bound to all interfaces). workaround.
VIRL-PE
Re-image the machines and
install the VIRL-PE patched
release. ^1
CML
Migrate to a patched
Salt-minion service release. ^1
Cluster running.
1.3 Mode VIRL-PE
Salt-master service running
(bound to all interfaces). Re-image the machines and
install the VIRL-PE patched
release. ^1
CML
Do one of the following:
o Upgrade to a patched
release, which will
Salt-minion service disable the salt-master
running. service. ^1
1.2 Standalone o Disable the salt-master
Salt-master service running service using the
(bound to all interfaces). workaround.
VIRL-PE
Re-image the machines and
install the VIRL-PE patched
release. ^1
CML
Salt-minion service Migrate to a patched
running. release. ^1
1.2 Cluster
Mode Salt-master service running VIRL-PE
(bound to all interfaces).
Re-image the machines and
install the VIRL-PE patched
release. ^1
1. For recommended patched software releases, see the Fixed Software
section of this advisory.
Cisco TelePresence IX5000 Series
Salt services are enabled by default on Cisco TelePresence IX5000 Series,
but these services are not required for normal operation. For information
about disabling the services, see the Workarounds section.
Workarounds
o Cisco CML and Cisco VIRL-PE
Cisco CML and Cisco VIRL-PE software releases 2.0 and later do not run the
salt-master service.
For Cisco CML and Cisco VIRL-PE deployed in standalone mode, administrators
can check the status of the salt-master service and disable the service as
shown in the following example:
virl@virl:~$ sudo systemctl status salt-master
salt-master.service - The Salt Master Server
Loaded: loaded (/lib/systemd/system/salt-master.service; disabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/salt-master.service.d
+-override.conf
Active: active (running) since Thu 2020-05-28 17:55:10 GMT; 1s ago
Docs: man:salt-master(1)
file:///usr/share/doc/salt/html/contents.html
https://docs.saltstack.com/en/latest/contents.html
--- Output Omitted ---
virl@virl:~$ sudo systemctl stop salt-master
virl@virl:~$ sudo systemctl disable salt-master
Synchronizing state of salt-master.service with SysV init with /lib/systemd/systemd-sysv-install...
Executing /lib/systemd/systemd-sysv-install disable salt-master
insserv: warning: current start runlevel(s) (empty) of script `salt-master' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `salt-master' overrides LSB defaults (0 1 6).
virl@virl:~$
For Cisco CML and Cisco VIRL-PE deployed in cluster mode, administrators
can check the status of the salt-master service and disable the service on
all compute nodes. Follow the steps shown above for standalone deployments.
On the cluster controller node, ensure that the salt-master is listening
only on the private network interface for inter-cluster communication, as
shown in the following example:
virl@virl:~$ netstat -tulpn | grep 450
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 172.16.10.250:4505 0.0.0.0:* LISTEN -
tcp 0 0 172.16.10.250:4506 0.0.0.0:* LISTEN -
virl@virl:~$
If the salt-master is listening on all interfaces as shown in the following
example, customers will need to upgrade to a patched release:
virl@virl:~$ netstat -tulpn | grep 450
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:4505 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:4506 0.0.0.0:* LISTEN -
virl@virl:~$
Cisco TelePresence IX5000 Series
To disable Salt services permanently on Cisco TelePresence IX5000 Series,
modifications must be made to the startup script files, which requires root
access on the device. For assistance, contact the Cisco TAC through your
support organization.
Fixed Software
o Cisco has released free software updates that address the vulnerabilities
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Cisco CML
For customers who are running the software in standalone deployments, Cisco
recommends migrating to Cisco CML Release 2.0.
To download the software from the Software Center on Cisco.com, do the
following:
1. Click Browse all .
2. Choose Cloud and Systems Management > Network Modeling > Modeling Labs
.
3. Choose a release from left pane.
For customers who cannot migrate to Release 2.0, Cisco recommends migrating
to Release 1.6.67.
Cisco CML does not support in-place upgrades for any Cisco CML 1.x
releases. Customers are advised to migrate to a new Cisco CML Release
1.6.67 or Release 2.0 installation.
Cisco fixed this vulnerability in Cisco CML Release 1.6.67. This release
upgrades the version of SaltStack, which contains the fixes for both
vulnerabilities. Customers who are running Cisco CML Release 1.6.65, which
has Salt services enabled on only the private interfaces, are also advised
to upgrade to Release 1.6.67.
Cisco VIRL-PE
Cisco recommends migrating to Cisco VIRL-PE Release 2.0, which has been
rebranded Cisco Modeling Labs - Personal. For upgrade instructions, see
HOW-TO: Upgrade your Virtual Internet Routing Lab Instance to Cisco
Modeling Labs - Personal v2.0 .
For customers with standalone deployments who cannot migrate to Cisco
VIRL-PE Release 2.0, Cisco recommends upgrading to Release 1.6.66 through
the UWM interface to ensure that the salt-master service is disabled.
Upgrade instructions are available at http://get.virl.info/upgrd.1.3.php .
For customers with cluster mode deployments who are running Release 1.5 or
Release 1.6, Cisco recommends upgrading to Release 1.6.67 through the UWM
interface to ensure that the salt-master service is disabled and upgraded
to a fixed SaltStack version. Customers who are running Release 1.3 are
advised to migrate to the latest 1.6 release.
Cisco fixed this vulnerability in Cisco VIRL-PE Release 1.6.67. This
release upgrades the version of SaltStack, which contains the fixes for
both vulnerabilities. Customers who are running 1.6.66, which has Salt
services disabled, are also advised to upgrade to Release 1.6.67.
Cisco TelePresence IX5000 Series
Cisco will not release fixed software for Cisco TelePresence IX5000 Series,
as the product has entered end of life. To disable Salt services
permanently on Cisco TelePresence IX5000 Series, modifications must be made
to the startup script files, which requires root access on the device. For
assistance, contact the Cisco TAC through your support organization.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) became aware of
additional attempted exploitation of these vulnerabilities in the wild.
Cisco continues to strongly recommend that customers upgrade to a fixed
software release to remediate these vulnerabilities.
Source
o These vulnerabilities were made public by the Salt Open Core team on April
29, 2020.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-salt-2vx545AG
Revision History
o +---------+-------------------------+--------------+--------+-------------+
| Version | Description | Section | Status | Date |
+---------+-------------------------+--------------+--------+-------------+
| | Added Cisco | Summary, | | |
| | TelePresence IX5000 | Vulnerable | | |
| | Series as a vulnerable | Products, | | |
| 2.0 | product. Added Release | Details, | Final | 2020-JUN-17 |
| | 1.6.67 as a fixed | Workarounds, | | |
| | release for both Cisco | Fixed | | |
| | VIRL-PE and Cisco CML. | Software | | |
+---------+-------------------------+--------------+--------+-------------+
| 1.0 | Initial public release. | - | Final | 2020-MAY-28 |
+---------+-------------------------+--------------+--------+-------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXuqtjONLKJtyKPYoAQj6IhAAiDYyOs8ZzOeE+P/3NzolgYWr3Lx4TVsX
mYXhHSofrzaWXoL0tPlamI4+9XQIaaCzCf/BItdpC+mHluc03SUr7dvSCr1p5kfs
GOU9DI3cHbR/7LO9H796b7ajjwJbmCshT0esMEToUfDDXbaOkKJA2oIe9XPPAIj0
gAIzRZvoecQMBXXDmQ2L0ubRleTJ8R8Chluqqk8IGTilAiy1tHbnpZ64Ellf+Wrt
e4r8JVil1VO4fS4cx2srH+JpV4iw0XJ2WhKu+CkhDyfLyGXSx/KdhkBj6oJA8wt+
2dZxQTo+3xY8JENoZKS9XvbHiDX0cIWqfrR+yw9/stRGhgSMRC9uHGRBEhXGXluc
WbcnGBugCMhC2WxXlwhiKxp90/s1Bjhj9FXc9LOCBQTTzy/G0/5p6xqE3/5yIXfk
5XnjwN/ogh3GCgc2v/M0J3KsUc2fpKWiZjtiy787wUnrKmObvwYBRBtolL0XBLs+
sfKuYaB2SWSh+M1kO8VYYRXos+vHx4kFl0W6sGElYzaciqr6ep2HGqZrMv4h6xhv
G8RGmNlVJq1GdPMheneBSFvYcsrmGCzyRzbay8KCK/3UKFscvsqRBcw4lenD/Mm2
g4rex0z2e1texa/V5CEjKfAACGXMsow4pUJJKDZDKUhlnJ1L4tQ6m3Flj/GOkNsd
kWFZO5M3RU4=
=ERAP
-----END PGP SIGNATURE-----