SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   SaltStack Vendors:   SaltStack.com
SaltStack RSA Key Generation Weakness Lets Remote Users Decrypt Communications in Certain Cases
SecurityTracker Alert ID:  1028717
SecurityTracker URL:  http://securitytracker.com/id/1028717
CVE Reference:   CVE-2013-2228   (Links to External Site)
Date:  Jul 1 2013
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.15.0 and prior versions
Description:   A vulnerability was reported in SaltStack. A remote user can decrypt and modify communications in certain cases.

The system does not securely generate RSA keys. A remote user with the ability to monitor traffic between Salt minions and the Salt master may be able to decrypt or modify the traffic and impersonate Salt minions or the Salt master.

Ronald Volgers reported this vulnerability.

Impact:   A remote user that can monitor communications traffic can decrypt and modify communications.
Solution:   The vendor has issued a fix (0.15.1).

The vendor also recommends that all RSA keys be regenerated.

The vendor's advisory is available at:

http://docs.saltstack.com/topics/releases/0.15.1.html#rsa-key-generation-fault

Vendor URL:  docs.saltstack.com/topics/releases/0.15.1.html#rsa-key-generation-fault (Links to External Site)
Cause:   Randomization error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC