Vulnslist

find the latest Cisco vulnerabilities

SaltStack FrameWork Vulnerabilities Affecting Cisco Products

cisco-sa-salt-2vx545AG · Critical · Published · Updated

On April 29, 2020, the Salt Open Core team notified their community regarding the following two CVE-IDs: CVE-2020-11651: Authentication Bypass Vulnerability CVE-2020-11652: Directory Traversal Vulnerability Cisco Modeling Labs Corporate Edition (CML), Cisco TelePresence IX5000 Series, and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) incorporate a version of SaltStack that is running the salt-master service that is affected by these vulnerabilities. Cisco has released software updates that address these vulnerabilities. There are workarounds that address these vulnerabilities. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG

Cisco advisory · CSAF JSON

Workarounds

Cisco CML and Cisco VIRL-PE
Cisco CML and Cisco VIRL-PE software releases 2.0 and later do not run the salt-master service.

For Cisco CML and Cisco VIRL-PE deployed in standalone mode, administrators can check the status of the salt-master service and disable the service as shown in the following example:

virl@virl:~$ sudo systemctl status salt-master
? salt-master.service - The Salt Master Server
Loaded: loaded (/lib/systemd/system/salt-master.service; disabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/salt-master.service.d
+-override.conf
Active: active (running) since Thu 2020-05-28 17:55:10 GMT; 1s ago
Docs: man:salt-master(1)
file:///usr/share/doc/salt/html/contents.html
https://docs.saltstack.com/en/latest/contents.html

--- Output Omitted ---

virl@virl:~$ sudo systemctl stop salt-master
virl@virl:~$ sudo systemctl disable salt-master
Synchronizing state of salt-master.service with SysV init with /lib/systemd/systemd-sysv-install...
Executing /lib/systemd/systemd-sysv-install disable salt-master
insserv: warning: current start runlevel(s) (empty) of script `salt-master' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `salt-master' overrides LSB defaults (0 1 6).
virl@virl:~$

For Cisco CML and Cisco VIRL-PE deployed in cluster mode, administrators can check the status of the salt-master service and disable the service on all compute nodes. Follow the steps shown above for standalone deployments. On the cluster controller node, ensure that the salt-master is listening only on the private network interface for inter-cluster communication, as shown in the following example:

virl@virl:~$ netstat -tulpn | grep 450
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 172.16.10.250:4505 0.0.0.0:* LISTEN -
tcp 0 0 172.16.10.250:4506 0.0.0.0:* LISTEN -
virl@virl:~$

If the salt-master is listening on all interfaces as shown in the following example, customers will need to upgrade to a patched release:

virl@virl:~$ netstat -tulpn | grep 450
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:4505 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:4506 0.0.0.0:* LISTEN -
virl@virl:~$

Cisco TelePresence IX5000 Series
To disable Salt services permanently on Cisco TelePresence IX5000 Series, modifications must be made to the startup script files, which requires root access on the device. For assistance, contact the Cisco TAC through your support organization.

CVEsCVE-2020-11651, CVE-2020-11652
Cisco Bug IDsCSCvu33581, CSCvu43116
CVSS ScoreBase 10.0
Base 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:X/RL:X/RC:X
Base 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Base 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X
Product Names From Source
Cisco TelePresence IX5000, Cisco Modeling Labs, Cisco Virtual Internet Routing Lab

Related Products

Product CVE Evidence
Cisco Virtual Internet Routing Lab CVE-2020-11652 Cisco OpenVuln
Cisco Virtual Internet Routing Lab CVE-2020-11651 Cisco OpenVuln
Cisco TelePresence IX5000 CVE-2020-11652 Cisco OpenVuln
Cisco TelePresence IX5000 CVE-2020-11651 Cisco OpenVuln
Cisco TelePresence CVE-2020-11652 Cisco OpenVuln
Cisco TelePresence CVE-2020-11651 Cisco OpenVuln
Cisco Modeling Labs CVE-2020-11652 Cisco OpenVuln
Cisco Modeling Labs CVE-2020-11651 Cisco OpenVuln