This week, SaltStack, infrastructure automation software used by IT, network, and security operations teams to drive security and reliability for digital business, disclosed three newly discovered vulnerabilities.
Their advisory listed the CVEs: CVE-2020-16846, CVE-2020-17490 and CVE-2020-25592. The vulnerabilities impact Salt versions 3002 and earlier. The two critically rated flaws affect any users running the Salt API. In the case of CVE-2020-16846, a user could use shell injections with the Salt API using the SSH client, while CVE-2020-25592 allows Salt-netapi to improperly validate credentials and tokens.
Bleeping Computer completed a more in-depth analysis of the vulnerabilities and the discrepancies around the company's disclosure timeline.
Jason Kent, Hacker in Residence, Cequence Security had this to say about the vulnerabilities from a security strategy perspective:
“Security teams today spend far more time focused on active attacks than on assessing their own code for security gaps, and that means that API vulnerabilities are going undetected for far too long, creating opportunities for malicious actors to access data and systems. To help eliminate API-based vulnerabilities like weak authentication and access control from making it into production, enterprises need to have runtime visibility into their API environment so that they can continually track all APIs – shadow, non-conforming or otherwise – to discover and address potential security gaps before they are published or exploited in the wild.”