Wednesday, April 17, 2024

Cyber Threat Actors Hacked Cisco Servers by Exploiting SaltStack Vulnerabilities

Recently, the attackers hacked a number of Cisco Systems servers using the Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) platform; it’s a service that allows users to create and test network topologies (the consortium of the elements of a network) without installing the device.

In this attack, the cybercriminals have exploited the critical vulnerabilities in the SaltStack Salt open-source framework.

It is widely used for automation services, as well as in the implementation of data center systems management.

According to Cisco experts, the Cisco Modeling Labs Corporate Edition (CML) is also vulnerable to attacks because it includes a version of SaltStack that runs the vulnerable Salt Master (“master”) installation.

In general, CML allows users to simulate Cisco devices and third-party devices. At the same time, the VIRL-PE enables the users to design and test virtual networks in a development and testing environment, as we told earlier.

Vulnerable Products

To make it more clear, here are the products that are affected by these vulnerabilities:-

  • Cisco Modeling Labs Corporate Edition (CML)
  • Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE)

Servers That Were Compromised

According to the company, the cyber attackers have managed to compromise six server infrastructure, and here they are:- 


From the image that we have mentioned below, you can see the example that shows a device where the salt-master service is enabled:-

Security Flaws

The vulnerabilities correspond to an authentication bypass that is identified as CVE-2020-11651, and a directory traversal that is identified as CVE-2020-11652.

Collectively, these two flaws can allow the attackers to gain unauthorized access to the entire file system of the servers that are configured in SaltStack.

Moreover, Cisco updated the compromised servers on May 7, 2020, and applied all the necessary patches that address authentication bypass vulnerabilities (CVE-2020-11651) and directory traversal vulnerabilities (CVE-2020-11652) that affect SaltStack servers.

Cisco has released two essential updates for the VIRL-PE services and related product Cisco Modeling Labs Corporate Edition. Apart from this, the security experts point out that without the updates, any version of both services could remain vulnerable to these security flaws.

The SaltStack Salt is meant to observe and update the servers, as it’s an automation and remote execution engine, that allows its users to run commands on multiple systems utilizing the master node that applies the changes to target servers.

Apart from this, Cisco is not the first and only company that was attacked by the attackers using these flaws, as earlier the attackers have also attacked other popular companies as well using these security flaws. 

Ghost reported that hackers hacked their servers and infected their systems with bitcoin mining malware using these security flaws in early May.

Not only that, even Xen-Orchestra have also reported that they have suffered from the same problem. However, we strongly recommend you all to update your devices immediately with the latest security patch released by Cisco to stay secure.

So, what do you think about this? Share all your views and thoughts in the comment section below.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a...

Cerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Security researchers at Cado Security Labs have uncovered a new variant of the Cerber...

FGVulDet – New Vulnerability Detector to Analyze Source Code

Detecting source code vulnerabilities aims to protect software systems from attacks by identifying inherent...

North Korean Hackers Abuse DMARC To Legitimize Their Emails

DMARC is targeted by hackers as this serves to act as a preventative measure...

L00KUPRU Ransomware Attackers discovered in the wild

A new variant of the Xorist ransomware, dubbed L00KUPRU, has been discovered in the...

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...

Outlook Login Panel Themed Phishing Attack Evaded All Antivirus Detections

Cybersecurity researchers have uncovered a new phishing attack that has bypassed all antivirus detections.The...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles