security_3

Chef InSpec Profile for Critical Salt Vulnerabilities

On April 30, 2020, two critical security vulnerabilities were identified with the SaltStack open source project (github.com/saltstack/salt). These vulnerabilities are critical and must be patched to avoid potential take over of your systems.

This vulnerability has been assigned the highest severity rating, 10.0, according to the Common Vulnerability Scoring System, an open framework for communicating risk.  Chef InSpec is extremely effective at inspecting a system, including identifying vulnerable versions of software, so we wrote a quick profile to test your systems. We recommend running this on every Salt Master in your environment to identify vulnerabilities and verify they have been remediated once patches are applied.

It accomplishes this by checking the following:

  • If your system has any SaltStack packages installed that were released prior to the patched versions of 3000.2 or 2019.2.4
  • If a package is not seen, but we find the salt command line utility available in the path of the user running InSpec, we’ll run salt --version and check the output of the command for a patched version of Salt.

The profile is located on GitHub: github.com/chef-cft/salt-vulnerabilities

We’ll keep a list of operating systems we’ve explicitly tested in the repository.

If there’s anything Chef can do to help you please don’t hesitate to reach out.

Technical Caveats

  • If the salt command line is not installed using the package manager of your operating system, not in the path of the user running InSpec, but is installed, we won’t find it. 
  • This is an unlikely scenario. If you’re concerned about this scenario you could expand the profile to include a search of the operating system for the executable, and check its version by executing the salt binaries you find. 
  • Searching the entire filesystem for binaries could increase the performance cost of the profile drastically, so it has not been included by default.

How to Use

  1. Download and Install the Chef Workstation here. (downloads.chef.io/chef-workstation/0.17.5).
    On Windows, you can use chocolatey choco install chef-workstation.
  2. Grab the profile from the GitHub repository (github.com/chef-cft/salt-vulnerabilities).
  3. Ensure you have either ssh keys loaded to ~\.ssh\id_rsa or user/password for your servers and then: 
  4. Run inspec exec {path_to_profile} --target ssh://{user}@{salt_master_url}
  5. Review results

Example Failure:

×  Ensure salt is version 2019.2.4 or 3000.2 or newer: Ensure salt is up-to-date (9 failed)
   ✔  System Package salt-api is expected not to be installed
   ✔  System Package salt-cloud is expected not to be installed
   ×  System Package salt-master version is expected to be >= 3000.2
   expected: >= "3000.2"
        got:    "2016.3.0-1.el7"
   ...
Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped

Example pass:


✔  Ensure salt is version 2019.2.4 or 3000.2 or newer: Ensure salt is up-to-date
   ✔  System Package salt-api is expected not to be installed
   ✔  System Package salt-cloud is expected not to be installed
   ✔  System Package salt-master version is expected to be >= 3000.2
   ✔  System Package salt-minion version is expected to be >= 3000.2
   ✔  System Package salt-ssh is expected not to be installed
   ✔  System Package salt-syndic is expected not to be installed
   ✔  System Package salt version is expected to be >= 3000.2
   ✔  Command: `salt --version | cut -d ' ' -f2` stdout.strip is expected to be >= 3000.2
   ✔  Command: `salt --version` stdout.strip is expected to be >= 3000.2

Profile Summary: 1 successful control, 0 control failures, 0 controls skipped

Galen Emery

I am Galen, the Lead Compliance and Security Architect for Chef. My professional life has been built upon automating everything I can, and am responsible for helping security and compliance teams understand how to secure systems within the DevOps model. I currently live in San Diego, CA but am originally from Seattle, WA with time spent in DC working with the federal government. I have extensive experience in Windows, Cloud Migrations, Chef, Compliance and Security. I hold an active CISSP.

Andrew DuFour

Andrew is a recovering systems engineer/administrator, integrator and video game addict, from Toronto, Ontario. He’s spent the last 10 years automating things in IT in various roles across Military, Government, and private industries. He was a Success Engineer at Chef, helping Chef’s customers solve problems and move faster, safer. When not slinging code he loves a good beer, pizza and hockey.