Bug 1215157 (CVE-2023-34049)

Summary: VUL-0: CVE-2023-34049: salt: arbitrary code execution via symlink attack
Product: [Novell Products] SUSE Security Incidents Reporter: Paolo Perego <paolo.perego>
Component: IncidentsAssignee: E-Mail List <salt-maintainers>
Status: REOPENED --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, alexander.graul, jgonzalez, marina.latini, meissner, miguel.perez, nadvornik, oholecek, pablo.suarezhernandez, paolo.perego, rosuna, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/377735/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-34049:8.4:(AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Attack scenario

Description Paolo Perego 2023-09-08 09:20:58 UTC 
Created attachment 869378 [details]
Attack scenario

During an internal maintenance activity, a security issue was found. 

Salt uses scp to create "/tmp/preflight.sh" script on the client 
and then executes the script via ssh. The "preflight.sh" name comes from SUMA in our case.

Any user on the client can use symlinks to replace the script and execute arbitrary code.

A successful attack scenario is the following. 
1. The attacker creates "/tmp/preflight.sh" symlink pointing to non-existing file "/tmp/preflight_orig.sh"
2. Salt uses scp to write "/tmp/preflight.sh", which is redirected to "/tmp/preflight_orig.sh" because of the symlink.
3. 3. The attacker monitors the existence of "/tmp/preflight_orig.sh" file in a loop and as soon as it is created, the attacker changes the symlink to point to his own script "/tmp/preflight.sh" -> "/tmp/attack.sh"
4. Salt executes "/tmp/attack.sh" via the symlink, with root privileges.

Attached screenshot demonstrate the exploitability of this vulnerability.

[1] https://github.com/openSUSE/salt/blob/openSUSE/release/3006.0/salt/client/ssh/__init__.py#L1140
Comment 16 Paolo Perego 2023-10-30 08:44:47 UTC 
Lifting embargo since the vulnerability is disclosed: https://saltproject.io/security-announcements/2023-10-27-advisory/
Comment 17 Alexander Graul 2023-10-30 12:24:45 UTC 
Backport to our 3006.0 branch in https://github.com/openSUSE/salt/pull/609

Once that is ready to merge, I'll create SRs in OBS for our devel projects and ping SUMA release engineers
Comment 21 Maintenance Automation 2023-11-09 08:30:06 UTC 
SUSE-SU-2023:4412-1: An update that solves one vulnerability, contains two features and has 23 security fixes can now be installed.

Category: security (moderate)
Bug References: 1204270, 1211047, 1211145, 1211270, 1211912, 1212168, 1212507, 1213132, 1213376, 1213469, 1213680, 1213689, 1214041, 1214121, 1214463, 1214553, 1214746, 1215027, 1215120, 1215157, 1215412, 1215514, 1216411, 1216661
CVE References: CVE-2023-34049
Jira References: MSQA-706, SUMA-111
Sources used:
openSUSE Leap 15.4 (src): release-notes-susemanager-4.3.9-150400.3.90.1, release-notes-susemanager-proxy-4.3.9-150400.3.69.1
SUSE Manager Proxy 4.3 (src): release-notes-susemanager-proxy-4.3.9-150400.3.69.1
SUSE Manager Retail Branch Server 4.3 (src): release-notes-susemanager-proxy-4.3.9-150400.3.69.1
SUSE Manager Server 4.3 (src): release-notes-susemanager-4.3.9-150400.3.90.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Maintenance Automation 2023-11-09 08:31:26 UTC 
SUSE-SU-2023:4390-1: An update that solves one vulnerability, contains one feature and has three security fixes can now be installed.

Category: security (important)
Bug References: 1213293, 1213518, 1214477, 1215157
CVE References: CVE-2023-34049
Jira References: MSQA-706
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): salt-3006.0-150100.112.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): salt-3006.0-150100.112.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): salt-3006.0-150100.112.1
SUSE CaaS Platform 4.0 (src): salt-3006.0-150100.112.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Maintenance Automation 2023-11-09 08:31:30 UTC 
SUSE-SU-2023:4389-1: An update that solves one vulnerability, contains one feature and has three security fixes can now be installed.

Category: security (important)
Bug References: 1213293, 1213518, 1214477, 1215157
CVE References: CVE-2023-34049
Jira References: MSQA-706
Sources used:
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): salt-3006.0-150200.113.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): salt-3006.0-150200.113.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): salt-3006.0-150200.113.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Maintenance Automation 2023-11-09 08:31:33 UTC 
SUSE-SU-2023:4388-1: An update that solves one vulnerability, contains one feature and has three security fixes can now be installed.

Category: security (important)
Bug References: 1213293, 1213518, 1214477, 1215157
CVE References: CVE-2023-34049
Jira References: MSQA-706
Sources used:
openSUSE Leap 15.3 (src): salt-3006.0-150300.53.65.2, python-simplejson-3.17.2-150300.3.4.1
openSUSE Leap Micro 5.3 (src): python-simplejson-3.17.2-150300.3.4.1
openSUSE Leap Micro 5.4 (src): python-simplejson-3.17.2-150300.3.4.1
openSUSE Leap 15.4 (src): python-simplejson-3.17.2-150300.3.4.1
openSUSE Leap 15.5 (src): python-simplejson-3.17.2-150300.3.4.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): python-simplejson-3.17.2-150300.3.4.1
SUSE Linux Enterprise Micro 5.3 (src): python-simplejson-3.17.2-150300.3.4.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): python-simplejson-3.17.2-150300.3.4.1
SUSE Linux Enterprise Micro 5.4 (src): python-simplejson-3.17.2-150300.3.4.1
SUSE Linux Enterprise Micro 5.5 (src): python-simplejson-3.17.2-150300.3.4.1
Basesystem Module 15-SP4 (src): python-simplejson-3.17.2-150300.3.4.1
Basesystem Module 15-SP5 (src): python-simplejson-3.17.2-150300.3.4.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): salt-3006.0-150300.53.65.2, python-simplejson-3.17.2-150300.3.4.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): salt-3006.0-150300.53.65.2, python-simplejson-3.17.2-150300.3.4.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): salt-3006.0-150300.53.65.2, python-simplejson-3.17.2-150300.3.4.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): salt-3006.0-150300.53.65.2, python-simplejson-3.17.2-150300.3.4.1
SUSE Enterprise Storage 7.1 (src): salt-3006.0-150300.53.65.2, python-simplejson-3.17.2-150300.3.4.1
SUSE Linux Enterprise Micro 5.1 (src): salt-3006.0-150300.53.65.2, python-simplejson-3.17.2-150300.3.4.1
SUSE Linux Enterprise Micro 5.2 (src): salt-3006.0-150300.53.65.2, python-simplejson-3.17.2-150300.3.4.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): salt-3006.0-150300.53.65.2, python-simplejson-3.17.2-150300.3.4.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Maintenance Automation 2023-11-09 08:31:38 UTC 
SUSE-SU-2023:4387-1: An update that solves one vulnerability, contains one feature and has three security fixes can now be installed.

Category: security (important)
Bug References: 1213293, 1213518, 1214477, 1215157
CVE References: CVE-2023-34049
Jira References: MSQA-706
Sources used:
openSUSE Leap 15.4 (src): salt-3006.0-150400.8.49.2
openSUSE Leap Micro 5.3 (src): salt-3006.0-150400.8.49.2
openSUSE Leap Micro 5.4 (src): salt-3006.0-150400.8.49.2
SUSE Linux Enterprise Micro for Rancher 5.3 (src): salt-3006.0-150400.8.49.2
SUSE Linux Enterprise Micro 5.3 (src): salt-3006.0-150400.8.49.2
SUSE Linux Enterprise Micro for Rancher 5.4 (src): salt-3006.0-150400.8.49.2
SUSE Linux Enterprise Micro 5.4 (src): salt-3006.0-150400.8.49.2
Basesystem Module 15-SP4 (src): salt-3006.0-150400.8.49.2
Server Applications Module 15-SP4 (src): salt-3006.0-150400.8.49.2
Transactional Server Module 15-SP4 (src): salt-3006.0-150400.8.49.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Maintenance Automation 2023-11-09 08:31:42 UTC 
SUSE-SU-2023:4386-1: An update that solves one vulnerability, contains one feature and has three security fixes can now be installed.

Category: security (important)
Bug References: 1213293, 1213518, 1214477, 1215157
CVE References: CVE-2023-34049
Jira References: MSQA-706
Sources used:
openSUSE Leap 15.5 (src): salt-3006.0-150500.4.24.2
SUSE Linux Enterprise Micro 5.5 (src): salt-3006.0-150500.4.24.2
Basesystem Module 15-SP5 (src): salt-3006.0-150500.4.24.2
Server Applications Module 15-SP5 (src): salt-3006.0-150500.4.24.2
Transactional Server Module 15-SP5 (src): salt-3006.0-150500.4.24.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Marcus Meissner 2023-11-09 08:37:31 UTC 
was there ever a CVE assigned?
Comment 28 Raúl Osuna 2023-11-09 08:42:14 UTC 
(In reply to Marcus Meissner from comment #27)
> was there ever a CVE assigned?

CVE-2023-34049 if I'm not mistaken. At least that's what we released in our release notes.
Comment 29 Paolo Perego 2023-11-09 08:45:03 UTC 
(In reply to Raúl Osuna from comment #28)
> (In reply to Marcus Meissner from comment #27)
> > was there ever a CVE assigned?
> 
> CVE-2023-34049 if I'm not mistaken. At least that's what we released in our
> release notes.

That's correct!
Comment 30 Marcus Meissner 2023-11-09 08:53:24 UTC 
tagged approppriately, bug made public
Comment 31 Alexander Graul 2023-11-15 12:10:59 UTC 
Bug is done from maintainer POV, passing back to security team.
Comment 33 Maintenance Automation 2023-12-13 12:36:21 UTC 
SUSE-SU-2023:4757-1: An update that solves one vulnerability, contains one feature and has two security fixes can now be installed.

Category: security (important)
Bug References: 1213351, 1214477, 1215157
CVE References: CVE-2023-34049
Jira References: MSQA-708
Sources used:
SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (src): venv-salt-minion-3006.0-1.30.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 34 Maintenance Automation 2023-12-13 12:36:23 UTC 
SUSE-SU-2023:4754-1: An update that solves one vulnerability, contains one feature and has two security fixes can now be installed.

Category: security (important)
Bug References: 1213351, 1214477, 1215157
CVE References: CVE-2023-34049
Jira References: MSQA-708
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 35 Maintenance Automation 2023-12-13 12:36:27 UTC 
SUSE-SU-2023:4753-1: An update that solves one vulnerability, contains one feature and has two security fixes can now be installed.

Category: security (important)
Bug References: 1213351, 1214477, 1215157
CVE References: CVE-2023-34049
Jira References: MSQA-708
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 36 Maintenance Automation 2023-12-13 12:36:30 UTC 
SUSE-SU-2023:4752-1: An update that solves one vulnerability, contains one feature and has two security fixes can now be installed.

Category: security (important)
Bug References: 1213351, 1214477, 1215157
CVE References: CVE-2023-34049
Jira References: MSQA-708
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 37 Maintenance Automation 2023-12-13 12:36:34 UTC 
SUSE-SU-202311:15246-1: An update that solves one vulnerability, contains one feature and has two security fixes can now be installed.

Category: security (important)
Bug References: 1213351, 1214477, 1215157
CVE References: CVE-2023-34049
Jira References: MSQA-708
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 38 Maintenance Automation 2023-12-13 12:36:39 UTC 
SUSE-SU-202311:15245-1: An update that solves one vulnerability, contains one feature and has two security fixes can now be installed.

Category: security (important)
Bug References: 1213351, 1214477, 1215157
CVE References: CVE-2023-34049
Jira References: MSQA-708
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 39 Maintenance Automation 2023-12-13 12:36:42 UTC 
SUSE-SU-2023:4749-1: An update that solves one vulnerability, contains one feature and has two security fixes can now be installed.

Category: security (important)
Bug References: 1213351, 1214477, 1215157
CVE References: CVE-2023-34049
Jira References: MSQA-708
Sources used:
SUSE Manager Client Tools for SLE 15 (src): venv-salt-minion-3006.0-150000.3.48.2
SUSE Manager Client Tools for SLE Micro 5 (src): venv-salt-minion-3006.0-150000.3.48.2
SUSE Manager Proxy 4.3 Module 4.3 (src): venv-salt-minion-3006.0-150000.3.48.2
SUSE Manager Server 4.3 Module 4.3 (src): venv-salt-minion-3006.0-150000.3.48.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 40 Maintenance Automation 2023-12-13 12:36:45 UTC 
SUSE-SU-2023:4748-1: An update that solves one vulnerability, contains one feature and has two security fixes can now be installed.

Category: security (important)
Bug References: 1213351, 1214477, 1215157
CVE References: CVE-2023-34049
Jira References: MSQA-708
Sources used:
SUSE Manager Client Tools for SLE 12 (src): venv-salt-minion-3006.0-3.46.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 41 Maintenance Automation 2023-12-13 12:36:52 UTC 
SUSE-SU-2023:4742-1: An update that solves one vulnerability, contains one feature and has one security fix can now be installed.

Category: security (important)
Bug References: 1214477, 1215157
CVE References: CVE-2023-34049
Jira References: MSQA-708
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 42 Maintenance Automation 2023-12-13 12:36:56 UTC 
SUSE-SU-202311:15242-1: An update that solves one vulnerability, contains one feature and has one security fix can now be installed.

Category: security (important)
Bug References: 1214477, 1215157
CVE References: CVE-2023-34049
Jira References: MSQA-708
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 43 Paolo Perego 2023-12-13 13:09:04 UTC 
Fixed