Six servers that Cisco uses to provide a virtual network service have been compromised by hackers who exploit critical buggy versions that the open source software service relies on, the company said Thursday.
Do you have any updates?
The May 7 compromise hit six Cisco servers that offer backend connectivity to the Virtual Edition of the Virtual Internet Routing Lab (VIRL-PE), a Cisco service that allows customers to design and test network topologies without deploying actual devices have to. Both the VIRL-PE and an associated service, Cisco Modeling Labs Corporate Edition, contain the Salt Management Framework, which contained two bugs that were critical in combination. The vulnerabilities were released on April 30.
Cisco provisioned the vulnerable servers on May 7th, and they were compromised the same day. Cisco also removed and fixed them on May 7th. The servers were:
According to Cisco, VIRL-PE or CML products deployed in standalone or cluster configurations remain vulnerable to the same tradeoffs without updates. The company released software updates for the two vulnerable products. Cisco rated the severity of the vulnerability as 10 out of 10 on the CVSS scale.
The Salt vulnerabilities are CVE-2020-1165, an authentication bypass, and CVE-2020-11652, a directory pass. Together they enable unauthorized access to the entire file system of the master salt server on which services with salt rely. F-Secure, the company that discovered the vulnerabilities, has a good description here.
join the club
Cisco and its customers are just a small selection of those who have been bitten by the Salt Bugs in the past few weeks. Earlier this month, the blogging platform Ghost reported that hackers had exploited the bug to infect servers in their private network with currency mining malware on their servers.
Other groups that have also been affected are Digicert, LineageOS and Xen Orchestra.
The series of attacks on such a diverse list of targets underscores today's networking of Internet services. A critical vulnerability in one piece can often spread quickly. Anyone using Salt-based software or services – whether Cisco or otherwise – should ensure that they are updated.