Cisco Discloses Critical Vulnerabilities within the SaltStack Framework

In a security alert published May 28, 2020, Cisco disclosed two critical vulnerabilities within the SaltStack Framework impacting Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE). SaltStack, also known as Salt, is a type of software used in data centers that allows administrators to control multiple servers from a central location.

The vulnerabilities are tracked as CVE-2020-11651, an Authentication Bypass vulnerability, and CVE-2020-11652, a Directory Traversal vulnerability. Both vulnerabilities were originally disclosed on April 30, 2020, and have been exploited in the wild over the past month. According to the alert, attackers are using these vulnerabilities to gain access to the servers that act as backend infrastructure for VIRL-PE, a Cisco service that allows users to model and create virtual network architectures. The six impacted servers are:

– us-1.virl[.]info

– us-2.virl[.]info

– us-3.virl[.]info

– us-4.virl[.]info

– vsm-us-1.virl[.]info

– vsm-us-2.virl[.]info

According to the alert, Cisco patched and remediated all hacked VIRL-PE servers on May 7, 2020, when they deployed updates for the SaltStack software. Both VIRL-PE and CML can be used in Cisco-hosted and on-premise scenarios, so for companies that use the two products on location, both CML and VIRL-PE need to be patched.

The company has released software updates yesterday (May 28, 2020) for both products that incorporate fixes for the two SaltStack vulnerabilities. Available updated versions include Cisco CML and VIRL-PE 1.2, 1.3, 1.5, and 1.6.

You can find the Cisco Security bulletin with workaround and patching information here: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG