Critical Saltstack Vulnerability Patching
5 days in: Are people actually patching? A Censys Update
Last week, Saltstack announced two critical vulnerabilities, CVE-2020-11651 and CVE-2020-11652. These vulnerabilities allow an attacker to bypass both authentication and authorization controls to effectively take over anything Saltstack is managing; this includes cloud infrastructure, servers, databases, and in some cases even user endpoints like laptops.
The Censys team leapt into action, and on May 1 we found 5,841 exposed and likely vulnerable Salt servers connected to the Internet. We checked again today, May 6, and found just 3,722 Salt servers exposed – a 36% reduction in just 5 days.
Clearly, some folks began to patch as soon as possible after the CVEs were announced, but not enough.
“It’s really encouraging to see Salt users taking the recent critical vulnerability seriously, and doing the right thing by either patching to the latest version or at a minimum not making them directly accessible to the internet,” said Mehul Revankar, Director of Product Management at Saltstack. “Scan results from censys.io is a great validation that our communication strategy is working but we still have a long way to go. If you haven’t patched already, please patch as soon as possible.”
Censys will continue to monitor and report on the number of exposed Salt Servers.