Bugzilla – Bug 1215157
VUL-0: CVE-2023-34049: salt: arbitrary code execution via symlink attack
Last modified: 2024-06-18 12:03:51 UTC
Created attachment 869378 [details] Attack scenario During an internal maintenance activity, a security issue was found. Salt uses scp to create "/tmp/preflight.sh" script on the client and then executes the script via ssh. The "preflight.sh" name comes from SUMA in our case. Any user on the client can use symlinks to replace the script and execute arbitrary code. A successful attack scenario is the following. 1. The attacker creates "/tmp/preflight.sh" symlink pointing to non-existing file "/tmp/preflight_orig.sh" 2. Salt uses scp to write "/tmp/preflight.sh", which is redirected to "/tmp/preflight_orig.sh" because of the symlink. 3. 3. The attacker monitors the existence of "/tmp/preflight_orig.sh" file in a loop and as soon as it is created, the attacker changes the symlink to point to his own script "/tmp/preflight.sh" -> "/tmp/attack.sh" 4. Salt executes "/tmp/attack.sh" via the symlink, with root privileges. Attached screenshot demonstrate the exploitability of this vulnerability. [1] https://github.com/openSUSE/salt/blob/openSUSE/release/3006.0/salt/client/ssh/__init__.py#L1140
Lifting embargo since the vulnerability is disclosed: https://saltproject.io/security-announcements/2023-10-27-advisory/
Backport to our 3006.0 branch in https://github.com/openSUSE/salt/pull/609 Once that is ready to merge, I'll create SRs in OBS for our devel projects and ping SUMA release engineers
SUSE-SU-2023:4412-1: An update that solves one vulnerability, contains two features and has 23 security fixes can now be installed. Category: security (moderate) Bug References: 1204270, 1211047, 1211145, 1211270, 1211912, 1212168, 1212507, 1213132, 1213376, 1213469, 1213680, 1213689, 1214041, 1214121, 1214463, 1214553, 1214746, 1215027, 1215120, 1215157, 1215412, 1215514, 1216411, 1216661 CVE References: CVE-2023-34049 Jira References: MSQA-706, SUMA-111 Sources used: openSUSE Leap 15.4 (src): release-notes-susemanager-4.3.9-150400.3.90.1, release-notes-susemanager-proxy-4.3.9-150400.3.69.1 SUSE Manager Proxy 4.3 (src): release-notes-susemanager-proxy-4.3.9-150400.3.69.1 SUSE Manager Retail Branch Server 4.3 (src): release-notes-susemanager-proxy-4.3.9-150400.3.69.1 SUSE Manager Server 4.3 (src): release-notes-susemanager-4.3.9-150400.3.90.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4390-1: An update that solves one vulnerability, contains one feature and has three security fixes can now be installed. Category: security (important) Bug References: 1213293, 1213518, 1214477, 1215157 CVE References: CVE-2023-34049 Jira References: MSQA-706 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): salt-3006.0-150100.112.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): salt-3006.0-150100.112.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): salt-3006.0-150100.112.1 SUSE CaaS Platform 4.0 (src): salt-3006.0-150100.112.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4389-1: An update that solves one vulnerability, contains one feature and has three security fixes can now be installed. Category: security (important) Bug References: 1213293, 1213518, 1214477, 1215157 CVE References: CVE-2023-34049 Jira References: MSQA-706 Sources used: SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): salt-3006.0-150200.113.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): salt-3006.0-150200.113.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): salt-3006.0-150200.113.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4388-1: An update that solves one vulnerability, contains one feature and has three security fixes can now be installed. Category: security (important) Bug References: 1213293, 1213518, 1214477, 1215157 CVE References: CVE-2023-34049 Jira References: MSQA-706 Sources used: openSUSE Leap 15.3 (src): salt-3006.0-150300.53.65.2, python-simplejson-3.17.2-150300.3.4.1 openSUSE Leap Micro 5.3 (src): python-simplejson-3.17.2-150300.3.4.1 openSUSE Leap Micro 5.4 (src): python-simplejson-3.17.2-150300.3.4.1 openSUSE Leap 15.4 (src): python-simplejson-3.17.2-150300.3.4.1 openSUSE Leap 15.5 (src): python-simplejson-3.17.2-150300.3.4.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): python-simplejson-3.17.2-150300.3.4.1 SUSE Linux Enterprise Micro 5.3 (src): python-simplejson-3.17.2-150300.3.4.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): python-simplejson-3.17.2-150300.3.4.1 SUSE Linux Enterprise Micro 5.4 (src): python-simplejson-3.17.2-150300.3.4.1 SUSE Linux Enterprise Micro 5.5 (src): python-simplejson-3.17.2-150300.3.4.1 Basesystem Module 15-SP4 (src): python-simplejson-3.17.2-150300.3.4.1 Basesystem Module 15-SP5 (src): python-simplejson-3.17.2-150300.3.4.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): salt-3006.0-150300.53.65.2, python-simplejson-3.17.2-150300.3.4.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): salt-3006.0-150300.53.65.2, python-simplejson-3.17.2-150300.3.4.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): salt-3006.0-150300.53.65.2, python-simplejson-3.17.2-150300.3.4.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): salt-3006.0-150300.53.65.2, python-simplejson-3.17.2-150300.3.4.1 SUSE Enterprise Storage 7.1 (src): salt-3006.0-150300.53.65.2, python-simplejson-3.17.2-150300.3.4.1 SUSE Linux Enterprise Micro 5.1 (src): salt-3006.0-150300.53.65.2, python-simplejson-3.17.2-150300.3.4.1 SUSE Linux Enterprise Micro 5.2 (src): salt-3006.0-150300.53.65.2, python-simplejson-3.17.2-150300.3.4.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): salt-3006.0-150300.53.65.2, python-simplejson-3.17.2-150300.3.4.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4387-1: An update that solves one vulnerability, contains one feature and has three security fixes can now be installed. Category: security (important) Bug References: 1213293, 1213518, 1214477, 1215157 CVE References: CVE-2023-34049 Jira References: MSQA-706 Sources used: openSUSE Leap 15.4 (src): salt-3006.0-150400.8.49.2 openSUSE Leap Micro 5.3 (src): salt-3006.0-150400.8.49.2 openSUSE Leap Micro 5.4 (src): salt-3006.0-150400.8.49.2 SUSE Linux Enterprise Micro for Rancher 5.3 (src): salt-3006.0-150400.8.49.2 SUSE Linux Enterprise Micro 5.3 (src): salt-3006.0-150400.8.49.2 SUSE Linux Enterprise Micro for Rancher 5.4 (src): salt-3006.0-150400.8.49.2 SUSE Linux Enterprise Micro 5.4 (src): salt-3006.0-150400.8.49.2 Basesystem Module 15-SP4 (src): salt-3006.0-150400.8.49.2 Server Applications Module 15-SP4 (src): salt-3006.0-150400.8.49.2 Transactional Server Module 15-SP4 (src): salt-3006.0-150400.8.49.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4386-1: An update that solves one vulnerability, contains one feature and has three security fixes can now be installed. Category: security (important) Bug References: 1213293, 1213518, 1214477, 1215157 CVE References: CVE-2023-34049 Jira References: MSQA-706 Sources used: openSUSE Leap 15.5 (src): salt-3006.0-150500.4.24.2 SUSE Linux Enterprise Micro 5.5 (src): salt-3006.0-150500.4.24.2 Basesystem Module 15-SP5 (src): salt-3006.0-150500.4.24.2 Server Applications Module 15-SP5 (src): salt-3006.0-150500.4.24.2 Transactional Server Module 15-SP5 (src): salt-3006.0-150500.4.24.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
was there ever a CVE assigned?
(In reply to Marcus Meissner from comment #27) > was there ever a CVE assigned? CVE-2023-34049 if I'm not mistaken. At least that's what we released in our release notes.
(In reply to Raúl Osuna from comment #28) > (In reply to Marcus Meissner from comment #27) > > was there ever a CVE assigned? > > CVE-2023-34049 if I'm not mistaken. At least that's what we released in our > release notes. That's correct!
tagged approppriately, bug made public
Bug is done from maintainer POV, passing back to security team.
SUSE-SU-2023:4757-1: An update that solves one vulnerability, contains one feature and has two security fixes can now be installed. Category: security (important) Bug References: 1213351, 1214477, 1215157 CVE References: CVE-2023-34049 Jira References: MSQA-708 Sources used: SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (src): venv-salt-minion-3006.0-1.30.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4754-1: An update that solves one vulnerability, contains one feature and has two security fixes can now be installed. Category: security (important) Bug References: 1213351, 1214477, 1215157 CVE References: CVE-2023-34049 Jira References: MSQA-708 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4753-1: An update that solves one vulnerability, contains one feature and has two security fixes can now be installed. Category: security (important) Bug References: 1213351, 1214477, 1215157 CVE References: CVE-2023-34049 Jira References: MSQA-708 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4752-1: An update that solves one vulnerability, contains one feature and has two security fixes can now be installed. Category: security (important) Bug References: 1213351, 1214477, 1215157 CVE References: CVE-2023-34049 Jira References: MSQA-708 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202311:15246-1: An update that solves one vulnerability, contains one feature and has two security fixes can now be installed. Category: security (important) Bug References: 1213351, 1214477, 1215157 CVE References: CVE-2023-34049 Jira References: MSQA-708 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202311:15245-1: An update that solves one vulnerability, contains one feature and has two security fixes can now be installed. Category: security (important) Bug References: 1213351, 1214477, 1215157 CVE References: CVE-2023-34049 Jira References: MSQA-708 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4749-1: An update that solves one vulnerability, contains one feature and has two security fixes can now be installed. Category: security (important) Bug References: 1213351, 1214477, 1215157 CVE References: CVE-2023-34049 Jira References: MSQA-708 Sources used: SUSE Manager Client Tools for SLE 15 (src): venv-salt-minion-3006.0-150000.3.48.2 SUSE Manager Client Tools for SLE Micro 5 (src): venv-salt-minion-3006.0-150000.3.48.2 SUSE Manager Proxy 4.3 Module 4.3 (src): venv-salt-minion-3006.0-150000.3.48.2 SUSE Manager Server 4.3 Module 4.3 (src): venv-salt-minion-3006.0-150000.3.48.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4748-1: An update that solves one vulnerability, contains one feature and has two security fixes can now be installed. Category: security (important) Bug References: 1213351, 1214477, 1215157 CVE References: CVE-2023-34049 Jira References: MSQA-708 Sources used: SUSE Manager Client Tools for SLE 12 (src): venv-salt-minion-3006.0-3.46.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4742-1: An update that solves one vulnerability, contains one feature and has one security fix can now be installed. Category: security (important) Bug References: 1214477, 1215157 CVE References: CVE-2023-34049 Jira References: MSQA-708 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202311:15242-1: An update that solves one vulnerability, contains one feature and has one security fix can now be installed. Category: security (important) Bug References: 1214477, 1215157 CVE References: CVE-2023-34049 Jira References: MSQA-708 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Fixed