Security Experts:

Connect with us

Hi, what are you looking for?



Critical Vulnerability in Salt Requires Immediate Patching

The Salt community has been aware of a critical vulnerability in Salt Master versions since late last week. It was informed that the vulnerability has a CVSS rating of 10.0, that Salt Masters should not be exposed to the internet, and that fixes would be released this week.

The Salt community has been aware of a critical vulnerability in Salt Master versions since late last week. It was informed that the vulnerability has a CVSS rating of 10.0, that Salt Masters should not be exposed to the internet, and that fixes would be released this week.

More warnings appeared early this week. F-Secure’s Mikko Hypponen (F-Secure had discovered two vulnerabilities earlier this year) tweeted on Monday, 27 April: “The vulnerability in Salt Master 3000.1 has been rated with a CVSS of 10.0″ (on a scale from 1 to 10)”. Today, SaltStack patches are available, an advisory has been published, and F-Secure has blogged on the process. Users of Salt should consider the blog’s opening words: “Patch by Friday or compromised by Monday.” 

Salt is an open source project managed by SaltStack, and is a popular configuration tool for managing servers in data centers and cloud environments. A Salt Master connects to agents on possibly hundreds of other servers called minions. It collects state reports from the minions, and publishes update messages that the minions can action. Typically, these are configuration updates.

The two vulnerabilities discovered by F-Secure are detailed in an advisory published today: an authentication bypass (CVE-2020-11651) and a directory traversal (CVE-2020-11652). Both have been patched by SaltStack engineers in release 3000.2 (with a separate patch release for the previous major version).

The authentication bypass exists because a ClearFuncs class processes unauthenticated requests but unintentionally exposes the _send_pub() method — which can be used to trigger the minions to run arbitrary commands as root. ClearFuncs can also be used to obtain the ‘root key’ used to authenticate commands from the local root user on the master server. Ultimately, this provides a remote unauthenticated attacker with root-equivalent access to the Salt Master.

The directory traversal vulnerability is caused by ClearFuncs allowing unauthenticated tokens that are then not sanitized when used as a filename. This allow, warns the advisory, “insertion of ‘..’ path elements and thus reading of files outside of the intended directory.”

“We expect,” warns F-Secure, “that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours,” reinforcing the need for Salt users to patch immediately.

In an accompanying blog, F-Secure warns that attackers could simply use the master/minion relationship to mine cryptocurrencies across possibly hundreds of servers, or they could install backdoors to explore the network — leading to the potential for data theft or extortion. Of particular concern to F-Secure is the large number of 6000 Salt Masters found exposed to the internet.

“I was expecting the number to be a lot lower,” said F-Secure principal consultant Olle Segerdahl. “There’s not many reasons to expose infrastructure management systems, which is what a lot of companies use Salt for, to the internet. When new vulnerabilities go public, attackers always race to exploit exposed, vulnerable hosts before admins patch or hide them. So, if I were running one of these 6000 masters, I wouldn’t feel comfortable leaving work for the weekend knowing it’s a target.”

Alex Peay, SVP of product and marketing at SaltStack, told SecurityWeek, “A critical vulnerability was discovered in Salt Master versions 2019.2.3 and Salt 3000 versions 3000.1 and earlier. The vulnerability occurs if a Salt Master is exposed to the open internet. Upon notification, SaltStack took immediate action to remediate the vulnerability, develop and issue patches, and communicate to our customers about the affected versions so they can prepare their systems for update.”

While exposing a Salt Master to the internet makes an attack both easier and more likely, the vulnerability itself isn’t dependent on that exposure. “While attackers will have a more difficult time reaching hosts hidden from the internet, they can still exploit them by accessing corporate networks in other ways first,” warns F-Secure.

Related: F-Secure Acquires MWR InfoSecurity for $106 Million 

Related: F-Secure Patches Old AV Bypass Vulnerability 

Related: Ongoing Research Project Examines Application of AI to Cybersecurity 

Related: Stop Using CVSS to Score Risk

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet