CVE-2020-17490 Overview
CVE-2020-17490 is an insecure permissions vulnerability affecting the TLS module within SaltStack Salt through version 3002. The vulnerability occurs when the TLS module creates certificates with weak file permissions, potentially allowing unauthorized local users to read sensitive cryptographic materials. This weakness could enable attackers with local access to compromise the confidentiality of TLS certificates and private keys used by Salt infrastructure.
Critical Impact
Local attackers can potentially access TLS certificates and private keys due to overly permissive file permissions, compromising the confidentiality of Salt's secure communications infrastructure.
Affected Products
- SaltStack Salt through version 3002
- SaltStack Salt version 3001
- Debian Linux 9.0 and 10.0
Discovery Timeline
- November 3, 2020 - SaltStack publicly disclosed CVE-2020-17490
- November 6, 2020 - CVE-2020-17490 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-17490
Vulnerability Analysis
This vulnerability is classified as CWE-732 (Incorrect Permission Assignment for Critical Resource). The TLS module in SaltStack Salt fails to properly restrict file permissions when creating TLS certificates. This insecure default configuration allows local users who should not have access to read sensitive certificate files, including private keys that are essential for securing Salt master-minion communications.
The attack vector is local, meaning an attacker needs some level of access to the system where Salt is running. Once they have local access, they can read the improperly protected certificate files without requiring elevated privileges. This could lead to the theft of private keys, enabling man-in-the-middle attacks or impersonation of Salt masters or minions.
Root Cause
The root cause of CVE-2020-17490 is improper file permission handling within the SaltStack Salt TLS module. When generating TLS certificates, the module does not apply sufficiently restrictive permissions to the created files. Instead of limiting access to only the Salt service account or root user, the certificates are created with permissions that allow broader read access, violating the principle of least privilege.
Attack Vector
The vulnerability requires local access to exploit. An attacker with a low-privileged user account on a system running SaltStack Salt can navigate to the directory where TLS certificates are stored and read the certificate files and associated private keys. This information could then be used to:
- Decrypt intercepted Salt communications
- Impersonate Salt masters or minions
- Conduct man-in-the-middle attacks against Salt infrastructure
- Pivot to additional systems managed by the compromised Salt deployment
The TLS module creates certificate files without properly setting restrictive permissions. When certificates are generated, they may be readable by users other than the Salt service account, exposing private key material to unauthorized access. For detailed technical information, refer to the SaltStack CVE Disclosure Blog.
Detection Methods for CVE-2020-17490
Indicators of Compromise
- Unexpected access to Salt TLS certificate directories by non-root or non-service accounts
- File permission audits showing world-readable or group-readable private key files in Salt's PKI directories
- Log entries indicating certificate file access by unauthorized users
- Anomalous authentication patterns in Salt master-minion communications
Detection Strategies
- Implement file integrity monitoring on Salt's TLS certificate directories to detect unauthorized access
- Configure auditd or similar tools to log access attempts to certificate files
- Monitor system logs for permission-related warnings from the Salt TLS module
- Deploy SentinelOne's Singularity Platform to detect suspicious file access patterns and potential credential theft attempts
Monitoring Recommendations
- Enable verbose logging for Salt master and minion services to capture certificate-related operations
- Set up alerts for file permission changes in /etc/salt/pki/ and related directories
- Monitor for unusual local user activity on systems running Salt infrastructure
- Implement regular permission audits using automated scanning tools
How to Mitigate CVE-2020-17490
Immediate Actions Required
- Upgrade SaltStack Salt to a patched version that addresses CVE-2020-17490
- Audit existing TLS certificate file permissions and manually correct any overly permissive settings
- Regenerate TLS certificates after applying the patch to ensure new certificates have proper permissions
- Review local user accounts on Salt infrastructure systems and remove unnecessary access
Patch Information
SaltStack has released patched versions to address this vulnerability. Organizations should upgrade to the latest stable release of SaltStack Salt. Consult the SaltStack Release Notes for specific version information and upgrade instructions.
For Debian-based systems, refer to Debian Security Advisory DSA-4837 and the Debian LTS Security Notice for distribution-specific patches.
Workarounds
- Manually set restrictive permissions (e.g., chmod 600) on existing TLS certificate and private key files
- Ensure certificate files are owned by the Salt service account (typically root:root or salt:salt)
- Restrict access to Salt PKI directories using filesystem ACLs if granular control is needed
- Consider using SELinux or AppArmor policies to limit certificate file access to Salt processes only
# Configuration example
# Fix permissions on Salt TLS certificates
chmod 600 /etc/salt/pki/master/*.pem
chmod 600 /etc/salt/pki/minion/*.pem
chown root:root /etc/salt/pki/master/*.pem
chown root:root /etc/salt/pki/minion/*.pem
# Verify permissions are properly set
ls -la /etc/salt/pki/master/
ls -la /etc/salt/pki/minion/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
