Connect with us

Hi, what are you looking for?



Critical Vulnerability in Salt Requires Immediate Patching

The Salt community has been aware of a critical vulnerability in Salt Master versions since late last week. It was informed that the vulnerability has a CVSS rating of 10.0, that Salt Masters should not be exposed to the internet, and that fixes would be released this week.

The Salt community has been aware of a critical vulnerability in Salt Master versions since late last week. It was informed that the vulnerability has a CVSS rating of 10.0, that Salt Masters should not be exposed to the internet, and that fixes would be released this week.

More warnings appeared early this week. F-Secure’s Mikko Hypponen (F-Secure had discovered two vulnerabilities earlier this year) tweeted on Monday, 27 April: “The vulnerability in Salt Master 3000.1 has been rated with a CVSS of 10.0″ (on a scale from 1 to 10)”. Today, SaltStack patches are available, an advisory has been published, and F-Secure has blogged on the process. Users of Salt should consider the blog’s opening words: “Patch by Friday or compromised by Monday.” 

Salt is an open source project managed by SaltStack, and is a popular configuration tool for managing servers in data centers and cloud environments. A Salt Master connects to agents on possibly hundreds of other servers called minions. It collects state reports from the minions, and publishes update messages that the minions can action. Typically, these are configuration updates.

The two vulnerabilities discovered by F-Secure are detailed in an advisory published today: an authentication bypass (CVE-2020-11651) and a directory traversal (CVE-2020-11652). Both have been patched by SaltStack engineers in release 3000.2 (with a separate patch release for the previous major version).

The authentication bypass exists because a ClearFuncs class processes unauthenticated requests but unintentionally exposes the _send_pub() method — which can be used to trigger the minions to run arbitrary commands as root. ClearFuncs can also be used to obtain the ‘root key’ used to authenticate commands from the local root user on the master server. Ultimately, this provides a remote unauthenticated attacker with root-equivalent access to the Salt Master.

The directory traversal vulnerability is caused by ClearFuncs allowing unauthenticated tokens that are then not sanitized when used as a filename. This allow, warns the advisory, “insertion of ‘..’ path elements and thus reading of files outside of the intended directory.”

“We expect,” warns F-Secure, “that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours,” reinforcing the need for Salt users to patch immediately.

In an accompanying blog, F-Secure warns that attackers could simply use the master/minion relationship to mine cryptocurrencies across possibly hundreds of servers, or they could install backdoors to explore the network — leading to the potential for data theft or extortion. Of particular concern to F-Secure is the large number of 6000 Salt Masters found exposed to the internet.

Advertisement. Scroll to continue reading.

“I was expecting the number to be a lot lower,” said F-Secure principal consultant Olle Segerdahl. “There’s not many reasons to expose infrastructure management systems, which is what a lot of companies use Salt for, to the internet. When new vulnerabilities go public, attackers always race to exploit exposed, vulnerable hosts before admins patch or hide them. So, if I were running one of these 6000 masters, I wouldn’t feel comfortable leaving work for the weekend knowing it’s a target.”

Alex Peay, SVP of product and marketing at SaltStack, told SecurityWeek, “A critical vulnerability was discovered in Salt Master versions 2019.2.3 and Salt 3000 versions 3000.1 and earlier. The vulnerability occurs if a Salt Master is exposed to the open internet. Upon notification, SaltStack took immediate action to remediate the vulnerability, develop and issue patches, and communicate to our customers about the affected versions so they can prepare their systems for update.”

While exposing a Salt Master to the internet makes an attack both easier and more likely, the vulnerability itself isn’t dependent on that exposure. “While attackers will have a more difficult time reaching hosts hidden from the internet, they can still exploit them by accessing corporate networks in other ways first,” warns F-Secure.

Related: F-Secure Acquires MWR InfoSecurity for $106 Million 

Related: F-Secure Patches Old AV Bypass Vulnerability 

Related: Ongoing Research Project Examines Application of AI to Cybersecurity 

Related: Stop Using CVSS to Score Risk

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.