Cyber attackers have taken advantage of flaws that exist in the open-source Saltstack Management framework used by Cisco in their network-tooling products. The vulnerable salt-master service currently runs on two Cisco products; Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE). The former gives users a virtual sandbox environment to design and configure network topologies; while the latter is for designing, configuring, and operating networks using versions of Cisco’s network operating systems.
The flaws in the latter made room for the exploitation by the hackers, which resulted in the compromise of six VIRL-PE backend servers, namely, us-1.virl.info, us-2.virl.info; us-3.virl.info, us-4.virl.info; us-5.virl.info, us-6.virl.info.
If the above products enable its salt-master service; the exploitability of the product depends on how the product has been deployed.
A full list of the impact and recommended action for each deployment option, for each Cisco software release, can be found on Cisco’s alert.
F-secure researchers predicted about an imminent attack when they discovered the flaw after the release of patches by SaltStack. SaltStack released patches for the flaw in release 3000.2, on April 30. However, a Preliminary scan carried out revealed the presence of more than 6,000 potentially vulnerable Salt instances exposed to the public.
It seems like the predictions are coming true as a series of hackings have started to take place. For instance, at the beginning of May, hackers were able to launch a crypto-jacking attack using the Ghost publishing servers. Also,they exploited the vulnerabilities in SaltStack used by the platform, which led to widespread outages.
According to Cisco’s Thursday alert, “Cisco infrastructure maintains the salt-master servers used with Cisco VIRL-PE. The upgrade of the servers was on May 7, 2020. Cisco identified that the Cisco-maintained salt-master servers which are servicing Cisco VIRL-PE release 1.2 and 1.3 were compromised.”
Cisco also said that “to be exploited, the salt-master service must be reachable on TCP ports 4505 and 4506.” The company added that administrators could check their configured Cisco salt-master server by navigating to VIRL Server > Salt Configuration and Status.
They (Cisco) continue to strongly recommend that customers upgrade to a fixed software release to remediate these vulnerabilities.