External risk intelligence

Salt API Shell Injection Vulnerability

CVE advisoryKnown Exploit

CVE-2020-16846

A vulnerability exists in Salt versions prior to 3002, allowing unauthorized command execution on the Salt API. This impacts organizations using the Salt API with an enabled SSH client. Exploitation poses a business risk of system compromise and data integrity issues.

3Halo Surface Signal

OS Command Injection

Saltstack Salt

before 2015.8.102015.8.11 to before 2015.8.132016.3.0 to before 2016.3.42016.3.5 to before 2016.3.62016.3.7 to before 2016.3.82016.11.0 to before 2016.11.32016.11.4 to before 2016.11.6;...

External exposure likelihood

Halo Surface Signal score for CVE-2020-16846

The vulnerability affects the Salt API, which is typically used for infrastructure management and automation. While it is technically possible for such an API to be exposed to the internet in some misconfigured or specific cloud-native environments, Salt APIs are generally intended to be restricted to internal management networks and are not designed to be public-facing by default.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

SaltStack Salt versions prior to 3002 contain a vulnerability that allows for shell injection through crafted web requests to the Salt API when the SSH client is enabled. This flaw can enable unauthorized execution of commands on affected systems. Organizations using this software may face significant business risks if this vulnerability is exploited.

  • Salt API with SSH client enabled
  • Unauthenticated shell injection
  • Compromise of systems and data

Attack Path

How an attacker could exploit the issue

Salt API's REST interface can be exploited through crafted web requests, leading to shell injection when the SSH client is enabled. This vulnerability allows an attacker to execute commands on the Salt API. The impact includes potential compromise of the affected system and execution of arbitrary code.

  • Exposed Salt API endpoint.
  • Unauthenticated network access.
  • Sending crafted web requests.
  • Arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

The SaltStack Salt API has a vulnerability that allows for shell injection through crafted web requests when the SSH client is enabled. This means an attacker could potentially execute commands on the Salt API. The vulnerability has been publicly disclosed and is listed in the CISA Known Exploited Vulnerabilities catalog.

  • Likely attacker skill level: High
  • Required access or conditions: Network access to the Salt API
  • Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An organization must address a vulnerability in Salt that allows for shell injection through crafted web requests to the Salt API when the SSH client is enabled. This could enable attackers to execute arbitrary commands on affected systems, posing a significant risk to business operations and data integrity. The vulnerability has a critical severity rating and is present in multiple versions of Salt.

  • Identify all Salt API instances and associated systems.
  • Restrict network access to the Salt API.
  • Apply vendor updates and verify fix deployment.

Frequently asked questions

What is SaltStack Salt and its primary function in IT infrastructure management?

SaltStack Salt is a powerful open-source automation and remote management tool. System administrators commonly utilize it to manage infrastructure, deploy applications, and orchestrate tasks across numerous servers concurrently, thereby streamlining IT operations.

How does CVE-2020-16846 enable shell injection in Salt versions prior to 3002?

CVE-2020-16846 is classified as a CWE-78 weakness. In vulnerable Salt versions, submitting specially crafted web requests to the Salt API, particularly when its SSH client feature is active, allows an attacker to inject and execute system commands, akin to injecting commands into a command line interface.

What conditions are necessary to trigger the shell injection vulnerability in the Salt API?

Exploitation requires an exposed Salt API endpoint accessible over the network and the SSH client feature to be enabled within the Salt configuration. An unauthenticated attacker can then send specifically designed web requests to initiate the vulnerability.

What is the relevance of CVE-2020-16846, and why is it a concern for organizations?

This vulnerability, a critical shell injection flaw in SaltStack Salt, is significant because it allows unauthenticated remote code execution. Its inclusion in the CISA Known Exploited Vulnerabilities catalog underscores the active threat it poses, indicating a high likelihood of exploitation by malicious actors.

What steps should an organization take to mitigate the risks associated with CVE-2020-16846?

Organizations should identify all instances of the Salt API, restrict network access to these interfaces, and promptly apply the vendor-provided updates for affected Salt versions. Verifying the successful deployment of these fixes is crucial to remediate the vulnerability.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified