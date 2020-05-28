%MINIFYHTML9a2ee2063335c715ce4d674ecb0d3f7213%

Six servers that Cisco uses to provide a virtual network service were compromised by hackers who exploited critical flaws contained in unpatched versions on which the open source software service is based, the company revealed Thursday.

The May 7 pledge hit six Cisco servers that provide back-end connectivity to Virtual Internet Routing Lab Personal Edition (VIRL-PE), a service from Cisco that enables customers to design and test network topologies without having to implement real teams. Both VIRL-PE and a related service, Cisco Modeling Labs Corporate Edition, incorporate the Salt management framework, which contained a couple of bugs that, when combined, were critical. The vulnerabilities were made public on April 30.

Cisco deployed the vulnerable servers on May 7 and they were compromised the same day. Cisco removed and remedied them, also on May 7. The servers were:

us-1.virl.info

us-2.virl.info

us-3.virl.info

us-4.virl.info

vsm-us-1.virl.info

vsm-us-2.virl.info

Cisco said that without updates, any VIRL-PE or CML product that is deployed in standalone or cluster configurations will remain vulnerable to the same types of compromises. The company released software updates for the two vulnerable products. Cisco rated the severity of the vulnerabilities with a rating of 10 out of 10 on the CVSS scale.

Salt's vulnerabilities are a CVE-2020-1165, an authentication bypass, and CVE-2020-11652, a directory traversal. Together, they allow unauthorized access to the entire file system of the salt master server on which the services using Salt depend. F-Secure, the company that discovered the vulnerabilities, has a good description of them here.

Cisco and its customers are just a small sample of those who have been stung by Salt's mistakes in recent weeks. Earlier this month, the Ghost blogging platform reported that hackers had exploited the flaw to infect servers on their private network with currency mining malware on their servers.

Other groups that have also been affected include Digicert, LineageOS and Xen Orchestra.

The series of attacks on such a varied list of targets highlights the interconnectedness of Internet services today. A critical vulnerability in a part can often spread quickly. Anyone using Salt-dependent software or services, whether Cisco or not, would do well to make sure they have been updated.