Cisco servers breached through SaltStack vulnerabilities

Cisco uncovered threat actors experienced compromised numerous of its servers by exploiting two beforehand disclosed SaltStack vulnerabilities.

The networking huge posted a protection advisory Thursday with regards to two products — Cisco Modeling Labs (CML) Corporate Edition and Cisco Digital Internet Routing Lab Individual Edition (VIRL-PE) — that have been afflicted by the significant SaltStack FrameWork vulnerabilities disclosed final month. The advisory contained patches for each products, but it also observed that six salt-grasp servers have been compromised by threat actors who exploited the SaltStack flaws in Cisco VIRL-PE.

“Cisco recognized that the Cisco-managed salt-grasp servers that are servicing Cisco VIRL-PE releases 1.two and 1.three have been compromised. The servers have been remediated on May seven, 2020,” the advisory mentioned.

Those people servers are the subsequent:

  • us-1.virl.details
  • us-two.virl.details
  • us-three.virl.details
  • us-4.virl.details
  • vsm-us-1.virl.details
  • vsm-us-two.virl.details

A Cisco spokesperson advised SearchSecurity: “At this time, we have no proof of customer information exposure similar to this vulnerability.”

The two SaltStack flaws — CVE-2020-11651, an authentication bypass vulnerability, and CVE-2020-11652, a listing traversal vulnerability — have been mounted in variation 3000.two of the framework, which was produced on April 29. The vulnerabilities, which have been discovered by researchers at F-Safe, have been disclosed the subsequent working day.

Cisco mentioned it current its salt-grasp servers on May seven. Nevertheless, CML and VIRL-PE, which use a variation of SaltStack that operates the salt-grasp services afflicted by the two vulnerabilities, have been not patched and have been still left exposed. When questioned why these patches arrived months later, the Cisco spokesperson supplied the subsequent reaction:

The Cisco-hosted servers have been patched on May seven. For Cisco CML and VIRL-PE deployments, buyers down load program that is made up of SaltStack. Cisco PSIRT [Solution Safety Incident Response Workforce] turned mindful of attempted exploitation of these vulnerabilities the 7 days of May 18. We created mounted program available and issued the protection advisory on May 28 to notify our buyers and present mitigation guidelines so they can acquire ideal motion. We question our buyers to make sure you overview the advisory for full element.