Built off the open source project Osquery
Description: This query looks for versions of the salt-master package vulnerable to CVE-2020-11651 and CVE-2020-11652 which have CVSS = 10 as remote privileged execution.
What The Data Shows:
Sample output indicating the presence of an rpm package for salt-master which is not currently supported (as of May 8, 2020) and not >= 3000.2 or >= 2019.2.4.
+------------------------------------------------------+
| SALT CVE-2020-11651/11652 |
+------------------------------------------------------+
| Vulnerable - PATCH Immediately: salt-master 2019.2.1 |
+------------------------------------------------------+
SQL:
WITH packages AS (
SELECT name, version FROM rpm_packages WHERE NAME = 'salt-master'
UNION
SELECT name, version FROM deb_packages WHERE NAME = 'salt-master'
)
SELECT CASE WHEN NOT ((
major = 3000
AND minor >= 2
) OR (
major = 2019
AND minor >= 2
AND patch >= 4
))
THEN 'Vulnerable - PATCH Immediately: ' || name || ' ' || version
ELSE NULL
END 'SALT CVE-2020-11651/11652'
FROM (
SELECT name
, version
, cast(split(version, ".", 0) AS int) AS major
, cast(split(version, ".", 1) AS int) AS minor
, cast(split(version, ".", 2) AS int) AS patch
FROM packages
WHERE name = 'salt-master'
);
Tested May 8, 2019. Potential false-positives for back-ported patches.
See also:
https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-116...
https://saltexploit.com/
https://blogs.akamai.com/sitr/2020/05/saltstack-vulnerabilities-actively-exploited-in-the-wild.html
https://github.com/saltstack/salt/issues/57057
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.