Skip to content

Latest commit

 

History

History
105 lines (83 loc) · 9.79 KB

threat-modeling.md

File metadata and controls

105 lines (83 loc) · 9.79 KB

Threat Model Analysis for saltstack/salt

Threat: Unauthenticated Remote Code Execution via salt-api

  • Threat: Unauthenticated Remote Code Execution via salt-api

    • Description: An attacker exploits a misconfiguration or vulnerability in the salt-api to execute arbitrary commands on the Salt Master or connected minions without authentication. The attacker sends crafted HTTP requests to the API endpoint, bypassing authentication.
    • Impact: Complete system compromise. The attacker gains full control over the Salt Master and all connected minions, allowing data exfiltration, system manipulation, and lateral movement.
    • Affected Component: salt-api (REST API), Master's web server configuration, authentication modules (e.g., netapi_ssl, external_auth). This is a direct Salt component.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Enable and enforce strong authentication for salt-api (e.g., TLS client certificates, strong passwords, multi-factor authentication).
      • Regularly update Salt to the latest version to patch vulnerabilities in salt-api.
      • Restrict network access to the salt-api endpoint using firewalls. Only allow access from trusted sources.
      • Implement Web Application Firewall (WAF) rules to detect and block malicious requests (though this is less direct Salt involvement).
      • Disable salt-api if it's not absolutely necessary.
      • Configure proper authorization using Salt's ACL system to limit API actions, even with authentication.

Threat: Command Injection in Custom Salt Modules

  • Threat: Command Injection in Custom Salt Modules

    • Description: An attacker exploits a vulnerability in a custom Salt execution module or state module where user-supplied input is not properly sanitized before being passed to a shell command. The attacker crafts malicious input with shell metacharacters to execute arbitrary commands on the target minion.
    • Impact: Remote code execution on the targeted minion(s). The attacker gains control, potentially leading to data breaches, system disruption, or lateral movement.
    • Affected Component: Custom Salt execution modules (*.py files in _modules), custom state modules (*.py files in _states), any module using functions like cmd.run, cmd.run_all, cmd.exec_code (or similar) without proper input validation. These are direct Salt components.
    • Risk Severity: High
    • Mitigation Strategies:
      • Strict Input Validation: Implement rigorous input validation and sanitization in all custom modules. Use whitelisting, not blacklisting. Avoid shell commands if possible.
      • Use Salt's Built-in Functions: Prefer Salt's built-in functions (e.g., file.managed, pkg.installed) over shell commands.
      • Code Review: Thoroughly review all custom modules, focusing on security.
      • Principle of Least Privilege: Run Salt minions with the least privileges necessary (avoid root).
      • Regular Security Audits: Audit custom modules and Salt configurations.

Threat: Pillar Data Exposure

  • Threat: Pillar Data Exposure

    • Description: Sensitive data in Salt Pillar is exposed to unauthorized minions due to misconfiguration. An attacker on a compromised minion accesses Pillar data intended for other minions, revealing credentials, API keys, or other sensitive information.
    • Impact: Information disclosure. The attacker gains access to sensitive data, used to compromise other systems or escalate privileges.
    • Affected Component: Pillar configuration (pillar_roots, ext_pillar), Top file (top.sls), Minion ID configuration, custom Pillar modules. These are direct Salt components.
    • Risk Severity: High
    • Mitigation Strategies:
      • Use Pillar Grains Targeting: Target Pillar data to specific minions using grains, minion IDs, or other targeting. Avoid assigning sensitive data to all minions.
      • Encrypt Sensitive Pillar Data: Use GPG or another mechanism to encrypt sensitive Pillar data at rest.
      • Use a Secrets Management System: Integrate Salt with a secrets management system (e.g., HashiCorp Vault) to securely store and retrieve secrets. Avoid storing secrets directly in Pillar files.
      • Regularly Review Pillar Configuration: Audit Pillar configuration to ensure data is not exposed.
      • Restrict Access to Pillar Files: Only the Salt Master process should have read access to Pillar files on the Master.

Threat: ZeroMQ Message Bus Eavesdropping

  • Threat: ZeroMQ Message Bus Eavesdropping

    • Description: An attacker with network access intercepts unencrypted communication between the Salt Master and minions over the ZeroMQ message bus. The attacker captures sensitive data, including commands, execution results, and potentially Pillar data.
    • Impact: Information disclosure. The attacker gains access to sensitive data transmitted between the master and minions.
    • Affected Component: ZeroMQ communication, Salt Master and Minion network configuration. This is a direct Salt communication mechanism.
    • Risk Severity: High
    • Mitigation Strategies:
      • Enable TLS Encryption for ZeroMQ: Configure Salt to use TLS encryption for all communication between the master and minions. This is the primary and most direct Salt-specific mitigation.
      • Network Segmentation: Isolate the Salt network (less direct, but important).
      • Firewall Rules: Restrict network access to the ZeroMQ ports (4505 and 4506) to authorized hosts (less direct, but important).
      • Monitor Network Traffic: Monitor for suspicious activity (less direct, but important).

Threat: Malicious State File Injection

  • Threat: Malicious State File Injection

    • Description: An attacker gains write access to the Salt file server (or the master's file roots) and injects a malicious state file (SLS). When applied, this state file executes arbitrary code on the target minions.
    • Impact: Remote code execution on the targeted minion(s). Attacker gains control.
    • Affected Component: Salt file server (file_roots), Master's file system, potentially salt-cp if used insecurely. These are direct Salt components related to file distribution.
    • Risk Severity: High
    • Mitigation Strategies:
      • Secure the File Server: Strong authentication and authorization for the Salt file server. Restrict write access.
      • Use a Version Control System: Store state files in a VCS (e.g., Git) and use a secure deployment pipeline.
      • Code Review: Review all state files before deployment.
      • Digital Signatures: Consider using digital signatures to verify state file integrity.
      • Monitor File System Changes: Monitor the Salt file server and file roots for unauthorized changes.

Threat: Exploitation of Vulnerable Salt Module

  • Threat: Exploitation of Vulnerable Salt Module

    • Description: An attacker leverages a known vulnerability in a built-in Salt module (e.g., a specific version with a known CVE) to execute arbitrary code or gain unauthorized access.
    • Impact: Varies, but could range from information disclosure to remote code execution.
    • Affected Component: Specific vulnerable built-in Salt module (e.g., a module listed in a CVE). This is a direct Salt component.
    • Risk Severity: Varies (High to Critical, depending on the CVE)
    • Mitigation Strategies:
      • Keep Salt Updated: Most important. Regularly update Salt to the latest stable version to patch known vulnerabilities. Subscribe to SaltStack security announcements.
      • Vulnerability Scanning: Use scanners to identify known vulnerabilities (less direct, but important).
      • Disable Unused Modules: If a module isn't needed, disable it.

Threat: Compromised Minion Key Leads to Impersonation

  • Threat: Compromised Minion Key Leads to Impersonation

    • Description: An attacker gains access to a minion's private key. The attacker can then use this key to impersonate the minion, sending malicious commands to the master or receiving sensitive data.
    • Impact: The attacker executes commands as the compromised minion, potentially escalating privileges or accessing sensitive data.
    • Affected Component: Minion key (/etc/salt/pki/minion/minion.pem), Minion authentication process. These are direct Salt components.
    • Risk Severity: High
    • Mitigation Strategies:
      • Secure Minion Key Storage: Strict permissions on the minion key file (readable only by the Salt minion process).
      • Regular Key Rotation: Implement a process for regularly rotating minion keys. This is a direct Salt-related mitigation.
      • Host-Based Intrusion Detection System (HIDS): Detect unauthorized access to the key file (less direct, but important).
      • Monitor for Suspicious Minion Activity: Monitor the Salt Master for unusual commands (less direct, but important). This refined list focuses on the core, high-impact threats directly related to SaltStack's functionality and components. It emphasizes the importance of securing Salt's own communication, configuration, and code execution mechanisms.