ID CVE-2017-12791
Summary Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID.
References
Vulnerable Configurations
  • cpe:2.3:a:saltstack:salt:2017.7.0
    cpe:2.3:a:saltstack:salt:2017.7.0
  • cpe:2.3:a:saltstack:salt:2016.11.6
    cpe:2.3:a:saltstack:salt:2016.11.6
CVSS
Base: 7.5
Impact:
Exploitability:
CWE CWE-22
CAPEC
  • Relative Path Traversal
    An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
  • Directory Traversal
    An attacker with access to file system resources, either directly or via application logic, will use various file path specification or navigation mechanisms such as ".." in path strings and absolute paths to extend their range of access to inappropriate areas of the file system. The attacker attempts to either explore the file system for recon purposes or access directories and files that are intended to be restricted from their access. Exploring the file system can be achieved through constructing paths presented to directory listing programs, such as "ls" and 'dir', or through specially crafted programs that attempt to explore the file system. The attacker engaging in this type of activity is searching for information that can be used later in a more exploitive attack. Access to restricted directories or files can be achieved through modification of path references utilized by system applications.
  • File System Function Injection, Content Based
    An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
  • Using Slashes and URL Encoding Combined to Bypass Validation Logic
    This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
  • Using Escaped Slashes in Alternate Encoding
    This attack targets the use of the backslash in alternate encoding. An attacker can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the attacker tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-1016.NASL
    description This update for salt fixes the following issues : - Update to 2017.7.1 See https://docs.saltstack.com/en/develop/topics/releases/20 17.7.1.html for full changelog - CVE-2017-12791: crafted minion ID could lead directory traversal on the Salt-master (boo#1053955) - Run fdupes over all of /usr because it still warns about duplicate files. Remove ancient suse_version > 1020 conditional. - Replace unnecessary %__ indirections. Use grep -q in favor of >/dev/null. - Avoid bashisms in %pre. - Update to 2017.7.0 See https://docs.saltstack.com/en/develop/topics/releases/20 17.7.0.html for full changelog - fix ownership for whole master cache directory (boo#1035914) - fix setting the language on SUSE systems (boo#1038855) - wrong os_family grains on SUSE - fix unittests (boo#1038855) - speed-up cherrypy by removing sleep call - Disable 3rd party runtime packages to be explicitly recommended. (boo#1040886) - fix format error (boo#1043111) - Add a salt-minion watchdog for RHEL6 and SLES11 systems (sysV) to restart salt-minion in case of crashes during upgrade. - Add procps as dependency. - Bugfix: jobs scheduled to run at a future time stay pending for Salt minions (boo#1036125)
    last seen 2019-02-21
    modified 2018-01-29
    plugin id 103154
    published 2017-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103154
    title openSUSE Security Update : salt (openSUSE-2017-1016)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_3531141DA708477C954A2A0549E49CA9.NASL
    description SaltStack reports : Correct a flaw in minion id validation which could allow certain minions to authenticate to a master despite not having the correct credentials. To exploit the vulnerability, an attacker must create a salt-minion with an ID containing characters that will cause a directory traversal. Credit for discovering the security flaw goes to: Vernhk@qq.com
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 102689
    published 2017-08-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102689
    title FreeBSD : salt -- Maliciously crafted minion IDs can cause unwanted directory traversals on the Salt-master (3531141d-a708-477c-954a-2a0549e49ca9)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2666-1.NASL
    description This update for salt fixes one security issue and bugs. The following security issue has been fixed : - CVE-2017-12791: Directory traversal vulnerability in minion id validation allowed remote minions with incorrect credentials to authenticate to a master via a crafted minion ID (bsc#1053955). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103767
    published 2017-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103767
    title SUSE SLES11 Security Update : salt (SUSE-SU-2017:2666-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-1183.NASL
    description Salt was updated to 2017.7.2 and also to fix various bugs and security issues. See the following resources for the full changelog: https://docs.saltstack.com/en/develop/topics/releases/2017.7.2.html https://docs.saltstack.com/en/develop/topics/releases/2017.7.1.html https://docs.saltstack.com/en/develop/topics/releases/2017.7.0.html Security issues fixed : - CVE-2017-14695: A directory traversal during minion id validation was fixed. (boo#1062462) - CVE-2017-14696: A remote denial of service attack with a specially crafted authentication request was fixed. (boo#1062464) - CVE-2017-12791: crafted minion ID could lead directory traversal on the Salt-master (boo#1053955) Non security issues fixed : - Add possibility to generate _version.py at the build time for raw builds: https://github.com/saltstack/salt/pull/43955 - Fix salt target-type field returns 'String' for existing jids but an empty 'Array' for non existing jids. (issue #1711) - Fixed minion resource exhaustion when many functions are being executed in parallel (boo#1059758) - Remove 'TasksTask' attribute from salt-master.service in older versions of systemd (boo#985112) - Provide custom SUSE salt-master.service file. - Fix wrong version reported by Salt (boo#1061407) - list_pkgs: add parameter for returned attribute selection (boo#1052264) - Adding the leftover for zypper and yum list_pkgs functionality. - Use $HOME to get the user home directory instead using '~' char (boo#1042749) - fix ownership for whole master cache directory (boo#1035914) - fix setting the language on SUSE systems (boo#1038855) - wrong os_family grains on SUSE - fix unittests (boo#1038855) - speed-up cherrypy by removing sleep call - Disable 3rd party runtime packages to be explicitly recommended. (boo#1040886) - fix format error (boo#1043111) - Add a salt-minion watchdog for RHEL6 and SLES11 systems (sysV) to restart salt-minion in case of crashes during upgrade. - Add procps as dependency. - Bugfix: jobs scheduled to run at a future time stay pending for Salt minions (boo#1036125) - Wrong os_family grains on SUSE - fix unittests. (boo#1038855) - Fix setting the language on SUSE systems. (boo#1038855) - Bugfix: unable to use hostname for minion ID as '127'. (upstream) - Bugfix: remove sleep call in CheppryPy API handler. (upstream) - Fix core grains constants for timezone. (boo#1032931) - Prevents zero length error on Python 2.6. - Fixes zypper test error after backporting. - Refactoring on Zypper and Yum execution and state modules to allow installation of patches/errata. - Allows to set 'timeout' and 'gather_job_timeout' via kwargs. - Add missing bootstrap script for Salt Cloud. (boo#1032452) - raet protocol is no longer supported. (boo#1020831) - Fix: add missing /var/cache/salt/cloud directory. (boo#1032213) - Cleanup salt user environment preparation. (boo#1027722) - Fix: race condition on cache directory creation. - Fix: /var/log/salt/minion fails logrotate. (boo#1030009) - Fix: Result of master_tops extension is mutually overwritten. (boo#1030073) - Allows to set custom timeouts for 'manage.up' and 'manage.status'. - Keep fix for migrating salt home directory. (boo#1022562) - Fix salt-minion update on RHEL. (boo#1022841) - Prevents 'OSError' exception in case certain job cache path doesn't exist. (boo#1023535)
    last seen 2019-02-21
    modified 2018-01-29
    plugin id 104087
    published 2017-10-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104087
    title openSUSE Security Update : salt (openSUSE-2017-1183)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0106.NASL
    description An update of 'salt' packages of Photon OS has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 111917
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111917
    title Photon OS 1.0: Salt PHSA-2018-1.0-0106 (deprecated)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0106_SALT.NASL
    description An update of the salt package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121806
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121806
    title Photon OS 1.0: Salt PHSA-2018-1.0-0106
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-388.NASL
    description This update for salt fixes the following issues : - [Regression] Permission problem: salt-ssh minion boostrap doesn't work anymore. (bsc#1027722) - wrong use of os_family string for Suse in the locale module and others (bsc#1038855) - Cannot bootstrap a host using 'Manage system completely via SSH (will not install an agent)' (bsc#1002529) - add user to or replace members of group not working with SLES11 SPx (bsc#978150) - SLES-12-GA client fail to start salt minion (SUSE MANAGER 3.0) (bsc#991048) - salt pkg.latest raises exception if package is not availible (bsc#1012999) - pkg.list_products on 'registerrelease' and 'productline' returns boolean.False if empty (bsc#989193) - SLES-12-SP1 salt-minion clients has no Base Channel added by default (bsc#986019) - 'The system requires a reboot' does not disappear from web-UI despite the reboot (bsc#1017078) - Remove option -f from startproc (bsc#975733) - [PYTHON2] package salt-minion requires /usr/bin/python (bsc#1081592) - Upgrading packages on RHEL6/7 client fails (bsc#1068566) - /var/log/salt has insecure permissions (bsc#1071322) - [Minion-bootstrapping] Invalid char cause server (salt-master ERROR) (bsc#1011304) - CVE-2016-9639: Possible information leak due to revoked keys still being used (bsc#1012398) - Bootstrapping SLES12 minion invalid (bsc#1053376) - Minions not correctly onboarded if Proxy has multiple FQDNs (bsc#1063419) - salt --summary '*' reporting '# of minions that did not return' wrongly (bsc#972311) - RH-L3 SALT - Stacktrace if nscd package is not present when using nscd state (bsc#1027044) - Inspector broken: no module 'query' or 'inspector' while querying or inspecting (bsc#989798) - [ Regression ]Centos7 Minion remote command execution from gui or cli , minion not responding (bsc#1027240) - SALT, minion_id generation doesn't match the newhostname (bsc#967803) - Salt API server shuts down when SSH call with no matches is issued (bsc#1004723) - /var/log/salt/minion fails logrotate (bsc#1030009) - Salt proxy test.ping crashes (bsc#975303) - salt master flood log with useless messages (bsc#985661) - After bootstrap salt client has deprecation warnings (bsc#1041993) - Head: salt 2017.7.2 starts salt-master as user root (bsc#1064520) - CVE-2017-12791: Maliciously crafted minion IDs can cause unwanted directory traversals on the Salt-master (bsc#1053955) - salt-2017.7.2 - broken %post script for salt-master (bsc#1079048) - Tearing down deployment with SaltStack Kubernetes module always shows error (bsc#1059291) - lvm.vg_present does not recognize PV with certain LVM filter settings. (bsc#988506) - High state fails: No service execution module loaded: check support for service (bsc#1065792) - When multiple versions of a package are installed on a minion, patch status may vary (bsc#972490) - Salt cp.push does not work on SUMA 3.2 Builds because of python3.4 (bsc#1075950) - timezone modue does not update /etc/sysconfig/clock (bsc#1008933) - Add patches to salt to support SUSE Manager scalability features (bsc#1052264) - salt-minion failed to start on minimal RHEL6 because of DBus exception during load of snapper module (bsc#993039) - Permission denied: '/var/run/salt-master.pid' (bsc#1050003) - Jobs scheduled to run at a future time stay pending for Salt minions (bsc#1036125) - Backport kubernetes-modules to salt (bsc#1051948) - After highstate: The minion function caused an exception (bsc#1068446) - VUL-0: CVE-2017-14695: salt: directory traversal vulnerability in minion id validation (bsc#1062462) - unable to update salt-minion on RHEL (bsc#1022841) - Nodes run out of memory due to salt-minion process (bsc#983512) - [Proxy] 'Broken pipe' during bootstrap of salt minion (bsc#1039370) - incorrect return code from /etc/rc.d/salt-minion (bsc#999852) - CVE-2017-5200: Salt-ssh via api let's run arbitrary commands as user salt (bsc#1011800) - beacons.conf on salt-minion not processed (bsc#1060230) - SLES11 SP3 salt-minion Client Cannot Select Base Channel (bsc#975093) - salt-ssh sys.doc gives authentication failure without arguments (bsc#1019386) - minion bootstrapping: error when bootstrap SLE11 clients (bsc#990439) - Certificate Deployment Fails for SLES11 SP3 Clients (bsc#975757) - state.module run() does not translate varargs (bsc#1025896)
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 109293
    published 2018-04-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109293
    title openSUSE Security Update : salt (openSUSE-2018-388)
refmap via4
bid 100384
confirm
misc
Last major update 23-08-2017 - 10:29
Published 23-08-2017 - 10:29
Last modified 29-08-2017 - 12:43
Back to Top