CVE-2021-31607

Advisory

Salt 3002.7 includes a fix for CVE-2021-31607: In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).
https://sec.stealthcopter.com/saltstack-snapper-minion-privledge-escaltion/

Affected package

Affected versions

Fixed versions

Vulnerability changelog

========================

Version 3001.8 is a bug fix release for :ref:`3001 <release-3001>`.


Fixed
-----

- Verify the owner of an existing config before trusting it during install. If the owner cannot be verified, back it up and use defaults. (CVE-2021-22004)


Security
--------

- Fix the CVE-2021-31607 vulnerability
Additionally, an audit and a tool was put in place, ``bandit``, to address similar issues througout the code base, and prevent them. (CVE-2021-31607)
- Ensure that sourced file is cached using its hash name (cve-2021-21996)

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31607
• https://sec.stealthcopter.com/saltstack-snapper-minion-privledge-escaltion/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/LDKMAJXYFHM4USVX3H5V2GCCBGASWUSM/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/MBAHHSGZLEJRCG4DX6J4RBWJAAWH55RQ/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/ACVT7M4YLZRLWWQ6SGRK3C6TOF4FXOXT/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/6BUWUF5VTENNP2ZYZBVFKPSUHLKLUBD5/
• https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html
• https://www.debian.org/security/2021/dsa-5011
• https://security.gentoo.org/glsa/202310-22