Categories: Cisco

Cyber Threat Actors Hacked Cisco Servers by Exploiting SaltStack Vulnerabilities

Recently, the attackers hacked a number of Cisco Systems servers using the Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) platform; it’s a service that allows users to create and test network topologies (the consortium of the elements of a network) without installing the device.

In this attack, the cybercriminals have exploited the critical vulnerabilities in the SaltStack Salt open-source framework.

It is widely used for automation services, as well as in the implementation of data center systems management.

According to Cisco experts, the Cisco Modeling Labs Corporate Edition (CML) is also vulnerable to attacks because it includes a version of SaltStack that runs the vulnerable Salt Master (“master”) installation.

In general, CML allows users to simulate Cisco devices and third-party devices. At the same time, the VIRL-PE enables the users to design and test virtual networks in a development and testing environment, as we told earlier.

Vulnerable Products

To make it more clear, here are the products that are affected by these vulnerabilities:-

  • Cisco Modeling Labs Corporate Edition (CML)
  • Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE)

Servers That Were Compromised

According to the company, the cyber attackers have managed to compromise six server infrastructure, and here they are:- 

  • us-1.virl.info
  • us-2.virl.info
  • us-3.virl.info
  • us-4.virl.info
  • vsm-us-1.virl.info
  • vsm-us-2.virl.info

From the image that we have mentioned below, you can see the example that shows a device where the salt-master service is enabled:-

Security Flaws

The vulnerabilities correspond to an authentication bypass that is identified as CVE-2020-11651, and a directory traversal that is identified as CVE-2020-11652.

Collectively, these two flaws can allow the attackers to gain unauthorized access to the entire file system of the servers that are configured in SaltStack.

Moreover, Cisco updated the compromised servers on May 7, 2020, and applied all the necessary patches that address authentication bypass vulnerabilities (CVE-2020-11651) and directory traversal vulnerabilities (CVE-2020-11652) that affect SaltStack servers.

Cisco has released two essential updates for the VIRL-PE services and related product Cisco Modeling Labs Corporate Edition. Apart from this, the security experts point out that without the updates, any version of both services could remain vulnerable to these security flaws.

The SaltStack Salt is meant to observe and update the servers, as it’s an automation and remote execution engine, that allows its users to run commands on multiple systems utilizing the master node that applies the changes to target servers.

Apart from this, Cisco is not the first and only company that was attacked by the attackers using these flaws, as earlier the attackers have also attacked other popular companies as well using these security flaws. 

Ghost reported that hackers hacked their servers and infected their systems with bitcoin mining malware using these security flaws in early May.

Not only that, even Xen-Orchestra have also reported that they have suffered from the same problem. However, we strongly recommend you all to update your devices immediately with the latest security patch released by Cisco to stay secure.

So, what do you think about this? Share all your views and thoughts in the comment section below.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…

5 hours ago

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…

6 hours ago

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…

6 hours ago

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…

6 hours ago

New Windows Zero-Day Vulnerability Let Attackers Steal Credentials From Victim’s Machine

A security researcher discovered a vulnerability in Windows theme files in the previous year, which…

6 hours ago

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…

6 hours ago