Cisco servers breached through SaltStack vulnerabilities

Threat actors exploited critical SaltStack flaws, which were disclosed and patched last month, in a Cisco product to breach several of the networking company's salt-master servers.

Cisco revealed threat actors had compromised several of its servers by exploiting two previously disclosed SaltStack vulnerabilities.

The networking giant published a security advisory Thursday regarding two products -- Cisco Modeling Labs (CML) Corporate Edition and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) -- that were affected by the critical SaltStack FrameWork vulnerabilities disclosed last month. The advisory contained patches for both products, but it also noted that six salt-master servers were compromised by threat actors who exploited the SaltStack flaws in Cisco VIRL-PE.

"Cisco identified that the Cisco-maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised. The servers were remediated on May 7, 2020," the advisory said.

Those servers are the following:

  • us-1.virl.info
  • us-2.virl.info
  • us-3.virl.info
  • us-4.virl.info
  • vsm-us-1.virl.info
  • vsm-us-2.virl.info

A Cisco spokesperson told SearchSecurity: "At this time, we have no evidence of customer data exposure related to this vulnerability."

The two SaltStack flaws -- CVE-2020-11651, an authentication bypass vulnerability, and CVE-2020-11652, a directory traversal vulnerability -- were fixed in version 3000.2 of the framework, which was released on April 29. The vulnerabilities, which were discovered by researchers at F-Secure, were disclosed the following day.

Cisco said it updated its salt-master servers on May 7. However, CML and VIRL-PE, which use a version of SaltStack that runs the salt-master service affected by the two vulnerabilities, were not patched and were left exposed. When asked why these patches came weeks later, the Cisco spokesperson offered the following response:

The Cisco-hosted servers were patched on May 7. For Cisco CML and VIRL-PE deployments, customers download software that contains SaltStack. Cisco PSIRT [Product Security Incident Response Team] became aware of attempted exploitation of these vulnerabilities the week of May 18. We made fixed software available and issued the security advisory on May 28 to inform our customers and provide mitigation instructions so they can take appropriate action. We ask our customers to please review the advisory for complete detail.

Dig Deeper on Data security and privacy