Cisco has disclosed a security incident that impacted part of its VIRL-PE infrastructure, threat actors exploited vulnerabilities in the SaltStack software package to breach six company servers.
These issues affect the following Cisco products running a vulnerable software release:
Cisco’s advisory states that the SaltStack software package is bundled with some Cisco products, hackers exploited SaltStack issues to compromise six company servers:
“Cisco infrastructure maintains the salt-master servers that are used with Cisco VIRL-PE. Those servers were upgraded on May 7, 2020. Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised. The servers were remediated on May 7, 2020.” reads the advisory.
The six servers are part of the backend infrastructure for VIRL-PE (Internet Routing Lab Personal Edition), a service that allows Cisco users to model and simulate their virtual network environment.
Cisco has it fixed and remediated all breached VIRL-PE servers on May 7, when it upgraded them by applying the patches for the SaltStack software.
Cisco also confirmed that the Cisco Modeling Labs Corporate Edition (CML), a network modeling tool, is affected by the issues.
At the end of April, researchers from F-Secure disclosed a number of vulnerabilities in the “Salt” framework, including two issues that could be exploited by attackers to take over Salt installations.
The two flaws, tracked as CVE-2020-11651 and CVE-2020-11652, are a directory traversal issue and an authentication bypass vulnerability respectively. Chaining the issue, an attacker could bypass authentication and run arbitrary code on Salt master servers exposed online.
Immediately after the public disclosure of the issues. administrators of Salt servers started reporting attacks exploiting the above vulnerabilities last week, threat actors used them to deliver backdoors and miners.
Shortly after the disclosure of the flaws, threat actors exploited them in several attacks against organizations, including mobile operating system vendor LineageOS, Digicert CA, blogging platform Ghost, cloud software provider Xen Orchestra, and search provider Algolia.
(SecurityAffairs – Cisco VIRL-PE infrastructure, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.