The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

query salt-master rpm/deb versions with remote-code-execution vulnerabilities: CVE-2020-11651 and CVE-2020-11652

Description: This query looks for versions of the salt-master package vulnerable to CVE-2020-11651 and CVE-2020-11652 which have CVSS = 10 as remote privileged execution.

What The Data Shows:

Sample output indicating the presence of an rpm package for salt-master which is not currently supported (as of May 8, 2020) and not >= 3000.2 or >= 2019.2.4.

+------------------------------------------------------+
| SALT CVE-2020-11651/11652                            |
+------------------------------------------------------+
| Vulnerable - PATCH Immediately: salt-master 2019.2.1 |
+------------------------------------------------------+

SQL: 

WITH packages AS (
  SELECT name, version FROM rpm_packages WHERE NAME = 'salt-master'
   UNION
  SELECT name, version FROM deb_packages WHERE NAME = 'salt-master'
)
SELECT CASE WHEN NOT ((
  major = 3000
  AND minor >= 2
) OR (
  major = 2019
  AND minor >= 2
  AND patch >= 4
))
  THEN 'Vulnerable - PATCH Immediately: ' || name || ' ' || version
       ELSE NULL
       END 'SALT CVE-2020-11651/11652'
  FROM (
    SELECT name
         , version
         , cast(split(version, ".", 0) AS int) AS major
         , cast(split(version, ".", 1) AS int) AS minor
         , cast(split(version, ".", 2) AS int) AS patch
    FROM packages
   WHERE name = 'salt-master'
);

Tested May 8, 2019. Potential false-positives for back-ported patches.

See also:
https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-116...
https://saltexploit.com/
https://blogs.akamai.com/sitr/2020/05/saltstack-vulnerabilities-actively-exploited-in-the-wild.html
https://github.com/saltstack/salt/issues/57057

 

1 Comment
jnelson
Carbon Black Employee
Status changed to: Approved