[kwlug-disc] Saltstackgeddon

Wed May 6 15:15:42 EDT 2020

I think this is an equivalent to realization that general hygiene is 
required in digital and especially admin.

I can see this more along the lines: "I told you to wash away dirt from 
your hands before touching candy. Now we found new pathogen in dirt!"

Let me explain, and let do calm head approach here.

> While looking for something else I learned that there were huge
> vulnerabilities found in Saltstack at the end of April:
>
>
> https://saltexploit.com/
>
> https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/
>
> The tl;dr is that if your salt-master is accessible on the Internet
> (via the Salt port) then ALL of your minions are compromised. At
> best they are now cryptocurrency mining rigs. At worst all of your
> server data (private keys, databases, etc) are now gone.

There is a reason we disable root access on ssh. Ask yourself, why do 
you disable root login on ssh? Probably, in an off chance that someone 
can get a root on your system (hail marry attack, etc.).

It is indisputable fact that we leave in the 21st century. Your root is 
now root for many systems, be it separate physical machine, or virtual 
ones. If in the 20th century you had one machine with one root, now we 
have N systems under one root for sanity, for ability to administer it, etc.

This root over many machines could've been chef, or ansible, or whatever 
else. The question is do you leave keys lying around? Do you expose a 
fundamentally internal traffic between master and minion to the outside? 
Do you practice security in depth, or digital admin hygiene?

> Holy cow do I have egg on my face now. Our Saltstack infrastructure is
> behind a firewall and only accessible via VPN, and as far as I can
> tell we have not been exploited. I am still frightened.

I don't think you should be frightened, since it sounds that your 
minion+master ports are not exposed.

But, to give you more ideas for more depth in your security, consider 
turning off your salt-master, when you are not administering machines. 
If there are automatic processes, triggers, etc., this further depth 
can't be reached, but if you use salt like me, only for human-driven 
actions, turn master off, when you are not actively administering 
things. You'll feel better.

By the way. This extra depth is why I put my salt masters into 
containers that can be turned off, moved.

> What is most frustrating is that I found this accidentally. If I try
> to subscribe to CVE lists I get overwhelmed with noise. But when these
> level 10 vulnerabilities hit I do not find out about them.

Paul. Just breathe. ... Breathe in. ... Breathe out. ... Breathe in. ... 
Breathe out.

Thank you for relying this info to all of us. Tap yourself on shoulder 
that your setup protects from inevitable bugs down the stack.

> What is almost most frustrating is that Ubuntu and Debian packages are
> affected but there have been no official patches released.
>
> What is moderately frustrating is that I have been pushing
> configuration management at my workplace for a long time, and now I
> look like a careless idiot for building something that has a single
> point of failure.

You shouldn't feel bad. In fact, this is a glorious story of how 
everything around you crumbles, and your systems stand unaffected, cause 
you've added some security in depth. You deserve a raise!