UPDATE: 21 SaltStack Breaches with 2900 Still Vulnerable

UPDATE for May 31, 2020:

We first published this story over a week ago, but adversaries don’t rest.  On Friday, Cisco announced that they have discovered SaltStack compromises on six of their salt-master servers –  part of the Cisco Internet Routing Lab Personal Edition service infrastructure.  This brings the total number of breaches for this open source application to 21 for the month of May.

If 21 breaches in a single month feels daunting, wait for what June may bring.  A recent update from Censys warns that over 2,900 internet-facing SaltStack instances are still vulnerable.

  • On May 1, Censys found 5,841 exposed and likely vulnerable Salt servers connected to the Internet.  
  • On May 6, that number went down to 3,722 Salt servers exposed – a 36% reduction in just 5 days. 
  • On May 12, the number stands at 2,928 Salt servers still exposed – a 21% reduction from last week, and a 50% reduction overall since the CVE was announced.

Here is our updated timeline of the breaches:



ORIGINAL POST from May 18:

Since 2017, I’ve reported in our annual State of the Software Supply Chain Report that the average time between an open source vulnerability being announced and subsequently exploited was three days.  We saw this exploit time with Equifax, GMO Payment Gateway, Canada Revenue Agency and several more.  

Then our CTO, Brian Fox, started chronicling a disturbing turn of events that showed that a shifting landscape of attacks based on OSS consumption was emerging. In the past three years, we’ve seen a consistent increase in open source and supply chain attacks that make one thing clear: adversaries are not slowing down.

Twenty more open source breaches occurred in the first three days of this month. The opportunity for adversaries emerged when (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Derek Weeks. Read the original post at: