Researchers
have
identified
a
template
injection
technique
against
the
open
source
SaltStack
IT
configuration
and
orchestration
platform,
as
well
as
common
misconfiguration
issues,
which
could
allow
attackers
to
gain
over
organization’s
network.
Salt
is
open
source
software
for
automating
networking
and
security
functions
based
on
events
and
specific
configurations,
similar
to
Puppet
or
Ansible.
Written
in
Python,
it
is
widely
used
in
network
administration
and
security.
However,
common
misconfigurations
and
security
issues
in
SaltStack,
an
implementation
of
Salt,
would
allow
an
attacker
to
execute
remote
code,
achieve
presence
on
and
control
over
a
management
network,
and
infiltrate
other
systems
connected
to
the
initially
compromised
system,
Alex
Hill,
an
offensive
security
specialist
at
boutique
cybersecurity
firm
Skylight
Cyber,
wrote
in
a
a
blog
post.
The
research
team
identified
a
series
of
three
simple
management
configurations
and
a
“bonus
injection”
method
that
allowed
them
to
achieve
command
execution
across
the
target
environment
to
run
arbitrary
code
and
even
pivot
to
customer
environments.
“Misconfigured
Salt
implementations
are
a
high-value
target
that,
if
compromised,
are
likely
to
lead
pretty
rapidly
to
a
much
broader
worst
case
level
of
network
compromise
and
should
hardened
commensurately,”
Hill
tells
Dark
Reading.
Template
Injection
for
Customer
Access
At
its
core,
Salt
provides
automated
infrastructure
management
that’s
focused
on
applying
and
maintaining
state
on
devices;
if
a
device
on
the
network
has
an
active
state
misaligned
to
the
configured
state,
the
platform
tries
to
reapply
previously
defined
configuration
settings.
That
could
mean
custom
scripts
to
push
up-to-date
configuration
files
for
triggering
a
build
pipeline
to
bring
up
fresh
containers,
Hill
wrote.
Salt
also
manages
devices
via
software
agents
—
known
as
“minions”
—
that
report
to
centralized
master-controller
devices.
The
researchers
discovered
a
Jinja
template
injection
vulnerability
in
Salt
that
—
while
not
new
in
and
of
itself
—
is
novel
in
terms
of
its
potential
for
exploit
in
the
IT
management
space,
Hill
tells
Dark
Reading.
The
flaw
can
result
in
command
execution
that
allows
for
attackers
to
run
arbitrary
code
not
only
on
the
master
device
and
its
minions
but
also
on
customer
environments.
The
team
was
able
to
trick
the
salt-master
into
issuing
instructions
to
another
victim
minion
running
as
root,
basically
allowing
them
to
do
whatever
they
wanted
to
it
and
opening
the
door
to
a
host
of
nefarious
activity
by
a
potential
attacker.
Common
Salt
Misconfigurations
Hill
identified
three
“dead
simple
misconfigurations”
that
can
easily
take
down
an
environment:
automatic
minion
enrollment,
secrets
stored
in
files,
and
exposure
of
the
pillar
system’s
secret
files.
Salt
has
an
automatic
enrollment
feature
to
automate
and
streamline
the
provisioning
of
new
customer
infrastructure
—
such
as
engineer
laptops
or
servers
for
new
sites
—
but
it
also
can
allow
rogue
devices
onto
the
network,
Hill
says.
An
attacker
could
spin
up
a
system,
install
a
minion,
and
auto-enroll
the
system
onto
the
master
controller
—
at
which
point,
the
attacker
could
issue
in-built
commands,
read
local
files,
and
even
explore
the
template
injection
method.
Secrets
are
exposed
with
Salt
because
the
framework
expects
minions
to
be
able
to
pull
down
any
required
files
from
the
file_roots
directories
when
it
tries
to
reset
the
device’s
state.
All
secrets,
including
passwords
to
the
master
device
are
exposed
because
they
are
in
cleartext
on
the
salt-master
in
web_user.sls.
An
attacker
that
controls
a
minion
in
the
environment
can
also
access
the
password
and
thus
compromise
the
entire
system,
the
Skylight
researchers
said.
Relatedly,
having
the
pillar
directory
inside
an
accessible
directory
means
that
all
minions
—
even
ones
that
were
not
legitimately
enrolled
by
the
administrator
—
are
able
to
see
the
contents
of
the
Salt
secrets
directory.
How
to
Secure
Salt
Hill
included
in
the
blog
post
what
he
calls
a
“cheat
sheet”
for
organizations
when
deploying
Salt
to
ensure
they
don’t
fall
prey
to
making
the
common
misconfiguration
errors
or
create
an
environment
that
allows
attackers
to
exploit
the
Jinja
template
injection
vulnerability.
“Enterprises
using
SaltStack
internally
should
be
looking
at
how
their
implementation
is
configured
and
whether
they
have
any
of
the
highlighted
issues
currently,”
he
says.
Organizations
should
overall
adopt
a
security
attitude
of
“trust
no
one”
—
in
this
case,
the
“no
one”
meaning
“no
minions.”
“Assume
all
minions
are
rogue”
as
well
as
“compromised
and
not
to
be
trusted,”
Hill
advised
in
his
post.
About Author
