Configuration Issues in SaltStack IT Tool Put Enterprises at Risk

Researchers flag common misconfiguration errors and a template injection technique that could let an attacker take over the IT management network and connected systems.

Image depicting code, commands
Source: Pablo Lagarto via Alamy Stock Photo

Researchers have identified a template injection technique against the open source SaltStack IT configuration and orchestration platform, as well as common misconfiguration issues, which could allow attackers to gain over organization's network.

Salt is open source software for automating networking and security functions based on events and specific configurations, similar to Puppet or Ansible. Written in Python, it is widely used in network administration and security. However, common misconfigurations and security issues in SaltStack, an implementation of Salt, would allow an attacker to execute remote code, achieve presence on and control over a management network, and infiltrate other systems connected to the initially compromised system, Alex Hill, an offensive security specialist at boutique cybersecurity firm Skylight Cyber, wrote in a a blog post. The research team identified a series of three simple management configurations and a "bonus injection" method that allowed them to achieve command execution across the target environment to run arbitrary code and even pivot to customer environments.

"Misconfigured Salt implementations are a high-value target that, if compromised, are likely to lead pretty rapidly to a much broader worst case level of network compromise and should hardened commensurately," Hill tells Dark Reading.

Template Injection for Customer Access

At its core, Salt provides automated infrastructure management that's focused on applying and maintaining state on devices; if a device on the network has an active state misaligned to the configured state, the platform tries to reapply previously defined configuration settings. That could mean custom scripts to push up-to-date configuration files for triggering a build pipeline to bring up fresh containers, Hill wrote.

Salt also manages devices via software agents — known as "minions" — that report to centralized master-controller devices.

The researchers discovered a Jinja template injection vulnerability in Salt that — while not new in and of itself — is novel in terms of its potential for exploit in the IT management space, Hill tells Dark Reading. The flaw can result in command execution that allows for attackers to run arbitrary code not only on the master device and its minions but also on customer environments. The team was able to trick the salt-master into issuing instructions to another victim minion running as root, basically allowing them to do whatever they wanted to it and opening the door to a host of nefarious activity by a potential attacker.

Common Salt Misconfigurations

Hill identified three "dead simple misconfigurations" that can easily take down an environment: automatic minion enrollment, secrets stored in files, and exposure of the pillar system's secret files.

Salt has an automatic enrollment feature to automate and streamline the provisioning of new customer infrastructure — such as engineer laptops or servers for new sites — but it also can allow rogue devices onto the network, Hill says. An attacker could spin up a system, install a minion, and auto-enroll the system onto the master controller — at which point, the attacker could issue in-built commands, read local files, and even explore the template injection method.

Secrets are exposed with Salt because the framework expects minions to be able to pull down any required files from the file_roots directories when it tries to reset the device's state. All secrets, including passwords to the master device are exposed because they are in cleartext on the salt-master in web_user.sls.

An attacker that controls a minion in the environment can also access the password and thus compromise the entire system, the Skylight researchers said.

Relatedly, having the pillar directory inside an accessible directory means that all minions — even ones that were not legitimately enrolled by the administrator — are able to see the contents of the Salt secrets directory.

How to Secure Salt

Hill included in the blog post what he calls a "cheat sheet" for organizations when deploying Salt to ensure they don't fall prey to making the common misconfiguration errors or create an environment that allows attackers to exploit the Jinja template injection vulnerability.

"Enterprises using SaltStack internally should be looking at how their implementation is configured and whether they have any of the highlighted issues currently," he says.

Organizations should overall adopt a security attitude of "trust no one" — in this case, the "no one" meaning "no minions."

"Assume all minions are rogue" as well as "compromised and not to be trusted," Hill advised in his post.

About the Author

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights