The patches came after Cisco was notified by the Salt Open Core team that the vulnerabilities and updates were available.

Dark Reading Staff, Dark Reading

May 30, 2020

1 Min Read

Cisco recently patched vulnerabilities in its SaltStack Framework after Salt master servers were compromised. The pair of vulnerabilities, CVE-2020-11651 and CVE-2020-11652, were discovered and patched by the Salt community, which found some 6,000 Salt masters globally that were affected. The vulnerabilities have been given a Common Vulnerability Scoring System (CVSS) score of 10, indicating that they are critical.

The vulnerabilities could allow a remote user to run arbitrary commands and access methods or directory paths for which they aren't authorized. This is possible because the affected software versions do not properly authorize certain users and sanitize particular commands.

Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) incorporate a version of SaltStack that is running the Salt master service that is affected by these vulnerabilities.

Salt is open source software for automating networking and security functions based on events and specific configurations. SaltStack is an implementation of Salt. Written in Python, it is widely used in network administration and security.

Cisco and the Salt community recommend that users immediately update software and harden their Salt environments.

For more, read here and here.

VIRTUALSUMMIT_DR20_320x50.jpg

 

 

 

 

 

 

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights