Weak or Default Authentication (admin default password can be easily guessed leading eventually to privileged access on cloud proxy)

The SaltStack API service implemented using Tornado server version 4.5.3 is configured with default or easily guessable credentials.

Aria Operations 8.18.x

VCF 9.0

VMware SaltStack

An attacker who successfully authenticates to the Salt API can issue privileged API calls that allow execution of Salt runner and execution modules.

In particular, authenticated access enables invocation of the salt.cmd runner, which can internally call execution modules such as cmd.run. This results in arbitrary command execution on the Salt master. Since the Salt master typically runs with root privileges, this condition leads to full server compromise.

Engineering is aware of this Vulnerability, there is no workaround for this issue other than the removal of API server as changing the password alone will not solve this vulnerability as the encryption key also present on the same machine. 

The below steps can help to change the easily guessable password to strong custom password. But these changes will get overwritten during the CP upgrade and needs to be set every time there is a CP upgrade.

Note:

• Ensure all files that you modify has admin:admin ownership
• Salt Tornedo API server has been deprecated from Ops 9.1 version. Steps provided here is only applicable with 8.18.x and 9.0

Steps to update Salt API password in 8.18.x version of Cloud Proxy.

1. Login to Cloud Proxy using SSH
2. Edit file /ucp/ucp-config-scripts/ucp-firstboot.py
3. Go to method gen_raw_pwds
4. Identify line - salt_api_pwd = 'password'
5. Change password to as per customer recommendation
6. Save the changes
7. Delete file - /ucp/config/config-secrets.properties
8. Run UCP Firstboot script - /ucp/ucp-config-scripts/ucp-firstboot.sh