Product background: If you have one hundred servers, so it makes sense to use Puppet(open source DevOps systems management tool)for centralizing and automating the configuration management process. SaltStack itself is an open source infrastructure centralized management platform. Compared with other commercial products, its deployment and configuration are slightly more complicated.

Vulnerability details: SaltStack has released a security update to address critical vulnerabilities affecting Salt versions prior to 2019.2.4 and 3000.2. A remote attacker could exploit these vulnerabilities to take control of an affected system. For more details, please refer to attached diagram. The official announcement can be found here. https://docs.saltstack.com/en/latest/topics/releases/3000.2.html

Recommendation:

1. Upgrade SaltStack to a recommended version. It is recommended to take a snapshot backup before upgrading.

2. Set the Salt Master’s default listening ports (default 4505 and 4506) to prohibit opening to the public network, or only to trusted objects.

Take care, data center administrators.

Preface: Perhaps when you do the web scan or web penetration test. XSS will be easy to find out. However people has contempt this matter.

How to avoid XSS happen?

1. Input should filter characters especially < > & ‘ ” .

2. Whitelisting and input validation are more commonly associated with SQL injection, they can also be used as an additional method of prevention for XSS.

3. Sanitizing user input.

About CVE-2020-3955: For whom with access to modify the system properties of a virtual machine from inside the guest os (such as changing the hostname of the virtual machine) may be able to inject malicious script which will be executed by a victim’s browser when viewing this virtual machine via the ESXi Host Client.

Remedy: VMware official announcement – https://www.vmware.com/security/advisories/VMSA-2020-0008.html

Preface: Friendly speaking, the similar types of attack apply to all Linux base devices including firewall.

The impact of this vulnerability – If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web.

My observation: One of the possibility is that an attacker can craft a kernel message that contains ‘%’ characters between pairs of ‘[<‘ and ‘>]’ symbol markers to gain root access to the system. Perhaps if the attacker goal to do surveillance, he can delete the log events and fool the SIEM system. Since SIEM log event correlation functions relies on log event.

Official announcement – https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11021

Preface: The modern user friendly functions installed on firewall impact his defense function.

Background: When device provide web page input user credential, perhaps it will facing injection attack. Yes, it is. No matter, SQL injection or command injection. Especially like firewall design. It is capable support and integrate of LDAP authentication or standalone authentication mode. From security point of view, Firewall service daemon should separate with it operating system kernel. And therefore the related firewall admin ID file (shadow) do not save in etc folder. It make in separate area. In the sense that if it function can support SSL VPN services. So, it should a place to store the user credential when user setup in standalone mode. Whereby it should encounter injection attack. If the credential stores in repository. It will effect by SQL injection.

Details: By investigating physical and virtual XG Firewall units, Sophos confirmed its XG Firewall has design weakness. This attack will depending on firewall setup.

Impact: Steal data from the firewall including “usernames and hashed passwords.

Remedy: https://community.sophos.com/kb/en-us/135415