The cyber attackers have exploited the critical vulnerabilities in the SaltStack which is an open-source framework.

This is mainly used for the implementation of data center systems and it’s automatic services.

From Cisco, it was also mentioned that the Cisco Modeling Labs Corporate Edition (CML) is also vulnerable to attacks that is because it has the same version of Saltstack and that helps to run the vulnerable Salt Master installation.

The information we gather is “CML basically used by the user to simulate Cisco Devices and third-party devices. The VIRAL-PE that helps users to create infra and test the virtual networks in a development and test the environment easily.”

Cisco Product Vulnerable 

There is mainly two product which is affected by the vulnerabilities :

• Cisco Virtual Internet Routing Lab Personal Edition(VIRl-PE)
• Cisco Modeling Labs Corporate Edition (CML)

The main Server Compromised

From the report of the company the Attacker can manage to compromise six infrastructure to take control :

• us-1.virl.info
• us-2.virl.info
• us-3.virl.info
• us-4.virl.info
• vsm-us-1.virl.info
• vsm-us-2.virl.info

We Got an image from the news that shows a device where the salt-master service is enabled :

Where Cisco lacks in security :

The vulnerabilities that can bypass the authentication as CVE-2020-11651 and a directory traversal that is identified as CVE-2020-11652.

The above two is the flaws can allow the attackers to gain the authority to access the entire file system of the servers that are configured in SaltStack,

CVE-2020-11651: Bypass authentication Vulnerable
CVE-2020-11652: Traversal Directory Vulnerable 

On May 7, 2020, Cisco updated the compromised server and check all the vulnerabilities which can be fixed by the patch like the authentication bypass vulnerabilities(CVE-2020-11651) and the directory traversal vulnerabilities (CVE-2020-11652) that mainly affect the Saltstack severs.

After that Cisco released two essential updates for the VIRL-PE services and that was related to the product Cisco Modeling Labs Corporate Edition. The Security experts claimed that the security flaws on any version of services before the updates.

The SaltStack we mainly meant to observe and help to update the servers with their automatic process with the help of a remote execution engine it also allows us to run commands on multiple systems by utilizing the master node that applies changes to target the servers.

Cisco is not only companies that are attacked by cybercriminals by using these vulnerable, but earlier the attackers have also attacked other popular companies as well using the security flaws.

The post Cisco server hacked by exploiting SaltStack Vulnerabilities. appeared first on Vednam.