On April 30, 2020, two critical security vulnerabilities were identified with the SaltStack open source project (github.com/saltstack/salt). These vulnerabilities are critical and must be patched to avoid potential take over of your systems.
This vulnerability has been assigned the highest severity rating, 10.0, according to the Common Vulnerability Scoring System, an open framework for communicating risk. Chef InSpec is extremely effective at inspecting a system, including identifying vulnerable versions of software, so we wrote a quick profile to test your systems. We recommend running this on every Salt Master in your environment to identify vulnerabilities and verify they have been remediated once patches are applied.
It accomplishes this by checking the following:
- If your system has any SaltStack packages installed that were released prior to the patched versions of 3000.2 or 2019.2.4
- If a package is not seen, but we find the
salt
command line utility available in the path of the user running InSpec, we'll runsalt --version
and check the output of the command for a patched version of Salt.
The profile is located on GitHub: github.com/chef-cft/salt-vulnerabilities
We'll keep a list of operating systems we've explicitly tested in the repository.
If there's anything Chef can do to help you please don't hesitate to reach out.
Technical Caveats
- If the
salt
command line is not installed using the package manager of your operating system, not in the path of the user running InSpec, but is installed, we won't find it. - This is an unlikely scenario. If you're concerned about this scenario you could expand the profile to include a search of the operating system for the executable, and check its version by executing the
salt
binaries you find. - Searching the entire filesystem for binaries could increase the performance cost of the profile drastically, so it has not been included by default.
How to Use
- Download and Install the Chef Workstation here. (downloads.chef.io/chef-workstation/0.17.5).
On Windows, you can use chocolateychoco install chef-workstation
. - Grab the profile from the GitHub repository (github.com/chef-cft/salt-vulnerabilities).
- Ensure you have either ssh keys loaded to ~\.ssh\id_rsa or user/password for your servers and then:
- Run
inspec exec {path_to_profile} --target ssh://{user}@{salt_master_url}
- Review results
Example Failure:
Example pass:
The post Chef InSpec Profile for Critical Salt Vulnerabilities appeared first on Chef Blog.
No comments:
Post a Comment