Salt on the Wound: Data Centers to be Affected by SaltStack RCE Bug

The open-source SaltStack Salt framework has been found containing two severe security flaws, each with a CVSS score of 10. These vulnerabilities permit full remote code execution (RCE) with root privileges on servers in data centers.

What are the vulnerabilities?

The Salt framework was found containing a couple of security flaws including:

  • CVE-2020-11651, an authentication bypass vulnerability, wherein internal functionality was exposed to unauthenticated network clients.
  • CVE-2020-11652, a directory traversal vulnerability, in which untrusted input was not effectively sanitized.

However, patches for both the flaws are included in the new version 2019.2.4 of the software.

Why these bugs are dangerous?

According to the research by F-Secure, these vulnerabilities can be exploited by cybercriminals to bypass authorization and authentication controls that are used to control access to Salt instance. These instances are comprised of a “master” server and a number of “minion” agents that collect data for the system and conduct tasks. If these vulnerabilities are exploited, any code can be executed remotely with root privileges on the master and also the minion agents.

Cybercriminals can then use this privilege to mine cryptocurrencies or even conduct high-impact attacks. Cybercriminals can also install backdoors to exploit a network, steal credentials and data, and conduct extortion, among others.

What is the impact?


  • An initial scan by researchers in F-Secure revealed more than 6,000 vulnerable Salt master servers, primarly hosted on Amazon Web Services (AWS) and Google Cloud Platform (GCP), among other cloud environments.
  • While it might be challenging for attackers to reach hosts hidden from the public internet, they can still gain access by exploiting corporate networks using other techniques.

In essence

Salt users are recommended to update the software packages to their latest versions. Moreover, it is possible for organizations to identify attacks by exploiting these vulnerabilities.