CVE-2023-20898 - Git Providers Vulnerability in Salt Masters: Wrong Environment Read and Cache Directory Name Collision

CVE-2023-20898 is a vulnerability present in Salt masters with versions prior to 3005.2 or 3006.2, affecting their Git Providers. This vulnerability allows the Git Providers to read data from the wrong environment due to an issue with getting the same cache directory base name, resulting in potential data disclosure, wrongful executions, data corruption, and crashes.

Original References

- CVE-2023-20898 Entry
- SaltStack Security Advisory

Exploit Details

When the Salt master is configured with different environments (e.g., production, staging, testing) and uses Git Providers to distribute files, states, or pillars among those environments, it generates cache directories for each environment. The naming of these cache directories should be unique to avoid data collisions.

However, in Salt master versions 3005.1 or earlier and 3006.1 or earlier, the cache directory names are not unique. Consequently, any process that uses the Git Providers in different environments can access the wrong data, which can lead to unwanted outcomes like wrongful execution, data corruption, crashes, or unauthorized data disclosure.

Here's an example of the problematic code in Salt versions prior to 3005.2 or 3006.2

def _init_remote(self, saltenv):
    """
    Initialize a new remote in the provider's cache directory.
    """
    cachedir = os.path.join(
        self.opts["cachedir"],
        "git_pillar",
        self.label,
        self.id,
    )
    # Other code ...

In this code, the cachedir variable represents the cache directory's base name, and it's created by joining the cachedir directory, git_pillar, the label, and the id of the Git Provider. However, the saltenv is not considered when creating the cache directory, which leads to the name collision and wrong data access described earlier.

Solution

Upgrade your Salt master to the latest version (3005.2 or later/3006.2 or later) to ensure that the cache directory naming issue is resolved, and the risk of data collisions and their consequences are mitigated. If upgrading is not possible, consider patching the _init_remote method in the git.py file to include the saltenv value when generating the cache directory base name.

Timeline

Published on: 09/05/2023 11:15:33 UTC
Last modified on: 09/14/2023 03:15:08 UTC