In a security alert released on May 28, Cisco revealed two significant "vulnerabilities" in its software led to six servers being left wide open to hackers.

SaltStack is a piece of management software used by data centers to allow multiple servers to be grouped together and controlled.

According to the alert, these vulnerabilities concerned the validation of a user, and the flaws in such processes allowed remote access to the servers without authentication.

The affected servers provided backend infrastructure for Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE).

Seguridad brecha
Authentication issues led to the servers being vulnerable to hackers

Security alert

The company said: "Cisco infrastructure maintains the salt-master servers that are used with Cisco VIRL-PE. Those servers were upgraded on May 7, 2020.

"Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised."

The following servers were compromised:

  • us-1.virl.info
  • us-2.virl.info
  • us-3.virl.info
  • us-4.virl.info
  • vsm-us-1.virl.info
  • vsm-us-2.virl.info

"Cisco VIRL-PE connects back to Cisco maintained Salt Servers that are running the salt-master service. These servers are configured to communicate with a different Cisco salt-master server, depending on which release of Cisco VIRL-PE software is running."

Discovered too late for some

ZDNet reported that the vulnerabilities led to numerous attacks throughout April and May. Several companies even came out publicly about the hacks, LineageOS, Ghost, Digicert, and Xen Orchestra.

Xen revealed in a statement that hackers exploited the weaknesses in SaltStack to proceed in installing a cryptocurrency miner.

Further reading