External risk intelligence

Salt Master Authentication Bypass Leading to Command Execution.

CVE advisoryKnown Exploit

CVE-2020-11651

A vulnerability in SaltStack Salt allows unauthenticated remote access to sensitive methods, potentially enabling attackers to execute arbitrary commands on managed systems. This poses a risk of unauthorized control over infrastructure and data compromise. Organizations using affected versions should prioritize remedia

2Halo Surface Signal

Saltstack Salt

before 2019.2.43000 to before 3000.215.18.09.010.016.0418.047.5.08.0.0

External exposure likelihood

Halo Surface Signal score for CVE-2020-11651

Salt Master services are typically intended for internal infrastructure management and orchestration within private networks. While technically network-reachable, they are not designed to be public-facing services, and best practices dictate they remain isolated from the public internet behind firewalls or VPNs.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Salt open-source remote execution and configuration management platform allows unauthenticated remote access to sensitive methods. This flaw can enable attackers to retrieve user tokens or execute arbitrary commands on managed systems. The impact can lead to unauthorized control over critical infrastructure and data breaches.

Salt-master process ClearFuncs
Improper method call validation
Compromised systems and data

Attack Path

How an attacker could exploit the issue

An unauthenticated remote attacker can exploit a vulnerability in the Salt Master's method validation. This allows unauthorized access to specific methods, enabling the retrieval of user tokens and the execution of arbitrary commands on Salt Minions. The attack exploits the absence of proper validation in the ClearFuncs class of the Salt Master process.

Salt Master exposed to network.
Attacker accesses vulnerable methods remotely.
Attacker retrieves tokens or runs commands.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk due to its potential for remote command execution. Attackers with a high level of skill could exploit this flaw to gain unauthorized access to systems and potentially control them. The ability to retrieve user tokens and run arbitrary commands on connected devices means that sensitive data could be compromised and critical business operations could be disrupted. Organizations using affected versions of SaltStack should treat this as a high-priority issue.

Likely attacker skill level: High
Required access or conditions: Remote, no authentication needed
Business risk or urgency: Critical

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An unauthenticated remote user can access SaltStack Salt methods, potentially retrieving user tokens or executing arbitrary commands on Salt minions. This vulnerability poses a significant risk due to the ability to bypass authentication and gain elevated privileges within the Salt environment. Organizations utilizing SaltStack should prioritize addressing this issue to protect their systems and data from compromise.

Identify exposed Salt Master assets.
Isolate vulnerable Salt Master instances.
Apply vendor updates and validate.
Monitor for related activity.

Frequently asked questions

What is SaltStack Salt and what is it used for?

SaltStack Salt is an open-source platform used for remote execution and configuration management. It helps automate the management of IT infrastructure, allowing users to control and configure many systems from a central master server.

What kind of weakness does CVE-2020-11651 represent?

CVE-2020-11651 is an authentication bypass vulnerability. The salt-master process fails to properly validate method calls, allowing unauthorized remote users to access certain functions.

What are the conditions needed to exploit CVE-2020-11651?

An attacker can exploit this vulnerability remotely without needing any authentication. The issue lies within the ClearFuncs class of the salt-master process, where method calls are not adequately validated.

Who should be concerned about this CVE, based on its network exposure?

Organizations should be concerned if their Salt Master services are accessible over the network. While typically used internally, any Salt Master that could be reached remotely, even if indirectly, presents a risk.

What is the first step for responding to this CVE?

The immediate first step is to identify any Salt Master assets that might be exposed to the network and apply the vendor-provided updates to versions 2019.2.4 or 3000.2 and later.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.