[kwlug-disc] Saltstackgeddon

Wed May 6 15:21:22 EDT 2020

Just to reiterate hygiene around any root-like resource, salt in 
particular: https://docs.saltstack.com/en/latest/topics/hardening.html


> I think this is an equivalent to realization that general hygiene is 
> required in digital and especially admin.
>
> I can see this more along the lines: "I told you to wash away dirt 
> from your hands before touching candy. Now we found new pathogen in 
> dirt!"
>
> Let me explain, and let do calm head approach here.
>
>> While looking for something else I learned that there were huge
>> vulnerabilities found in Saltstack at the end of April:
>>
>>
>> https://saltexploit.com/
>>
>> https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/ 
>>
>>
>> The tl;dr is that if your salt-master is accessible on the Internet
>> (via the Salt port) then ALL of your minions are compromised. At
>> best they are now cryptocurrency mining rigs. At worst all of your
>> server data (private keys, databases, etc) are now gone.
>
> There is a reason we disable root access on ssh. Ask yourself, why do 
> you disable root login on ssh? Probably, in an off chance that someone 
> can get a root on your system (hail marry attack, etc.).
>
> It is indisputable fact that we leave in the 21st century. Your root 
> is now root for many systems, be it separate physical machine, or 
> virtual ones. If in the 20th century you had one machine with one 
> root, now we have N systems under one root for sanity, for ability to 
> administer it, etc.
>
> This root over many machines could've been chef, or ansible, or 
> whatever else. The question is do you leave keys lying around? Do you 
> expose a fundamentally internal traffic between master and minion to 
> the outside? Do you practice security in depth, or digital admin hygiene?
>
>> Holy cow do I have egg on my face now. Our Saltstack infrastructure is
>> behind a firewall and only accessible via VPN, and as far as I can
>> tell we have not been exploited. I am still frightened.
>
> I don't think you should be frightened, since it sounds that your 
> minion+master ports are not exposed.
>
> But, to give you more ideas for more depth in your security, consider 
> turning off your salt-master, when you are not administering machines. 
> If there are automatic processes, triggers, etc., this further depth 
> can't be reached, but if you use salt like me, only for human-driven 
> actions, turn master off, when you are not actively administering 
> things. You'll feel better.
>
> By the way. This extra depth is why I put my salt masters into 
> containers that can be turned off, moved.
>
>> What is most frustrating is that I found this accidentally. If I try
>> to subscribe to CVE lists I get overwhelmed with noise. But when these
>> level 10 vulnerabilities hit I do not find out about them.
>
> Paul. Just breathe. ... Breathe in. ... Breathe out. ... Breathe in. 
> ... Breathe out.
>
> Thank you for relying this info to all of us. Tap yourself on shoulder 
> that your setup protects from inevitable bugs down the stack.
>
>> What is almost most frustrating is that Ubuntu and Debian packages are
>> affected but there have been no official patches released.
>>
>> What is moderately frustrating is that I have been pushing
>> configuration management at my workplace for a long time, and now I
>> look like a careless idiot for building something that has a single
>> point of failure.
>
> You shouldn't feel bad. In fact, this is a glorious story of how 
> everything around you crumbles, and your systems stand unaffected, 
> cause you've added some security in depth. You deserve a raise!
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
-- 
Mikalai Birukou
CEO | 3NSoft Inc.