CVE-2023-34049: Salt-SSH Vulnerability Allows Attackers to Execute Unauthorized Scripts on Target VMs using Predictable File Paths
_Main focus: The vulnerability discovered in the Salt-SSH pre-flight option that allows an attacker to execute unauthorized scripts on a target virtual machine._
_## Introduction
A recent vulnerability, identified as CVE-2023-34049, has been discovered in the popular remote execution tool, Salt-SSH. This vulnerability allows an attacker to force Salt-SSH to run their script on target virtual machines by using the predictable path to the pre-flight script. In this article, we will provide a detailed overview of the vulnerability, explore how it can be exploited, and discuss potential solutions to mitigate this risk.
_## Vulnerability Details
The vulnerability lies in the Salt-SSH pre-flight option which is designed to improve the reliability of the tool when running multiple commands in parallel on different virtual machines (VMs). When the pre-flight option is activated, it performs initial checks on the VM and then copies the script to the target VM at a predictable path. This predictable path is what grants the attacker the opportunity to ensure that the Salt-SSH runs their unauthorized script with elevated privileges, as outlined below.
Exploitability: An attacker must have access to the target VM and know the path to the pre-flight script before it is executed. This knowledge enables the attacker to execute their script with privileged access.
Attacker's Unauthorized Script
# Attacker's unauthorized script
import os
os.system("whoami") # Shows the current user executing the unauthorized script
Salt-SSH Pre-flight Procedure
# Before running the Salt-SSH pre-flight script
scp salt_ssh_pre_flight_script.sh user@target-vm:/predictable/path/to/script.sh
Attacker's Actions
Attackers can replace the original pre-flight script with their own unauthorized script, placed at the predictable path.
Timeline
Published on: 11/14/2024 05:15:28 UTC
Last modified on: 11/15/2024 13:58:08 UTC