Very High
CVE-2020-16846 — SaltStack Unauthenticated Shell Injection
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-16846 — SaltStack Unauthenticated Shell Injection
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Being exploited in the wild as of April 2021. Juniper Networks has a write-up on seeing payloads being delivered by the Sysrv botnet. Kinda surprising it took that long.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Please see the Rapid7 analysis.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- debian,
- fedoraproject,
- saltstack
Products
- debian linux 10.0,
- debian linux 9.0,
- fedora 31,
- salt,
- salt 3001,
- salt 3002
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Advisory
Related AttackerKB Topic
Additional Info
Technical Analysis
Description
On Tuesday, November 3, VMware’s SaltStack released details on three new CVEs. The two more severe vulnerabilities, CVE-2020-16846 and CVE-2020-25592, affect SaltStack’s Salt API and are the focus of this analysis. CVE-2020-16846 allows an unauthenticated attacker with network access to use shell injections to run code on the Salt-API using the SSH client. CVE-2020-25592 allows an attacker to bypass authentication and make calls to Salt SSH by supplying any value for “eauth” or “token”. A successful attack using the two vulnerabilities can result in unauthenticated remote root access on a target system.
Note: This analysis is the same as the analysis posted to CVE-2020-25592.
Affected products
A patch is available for the following affected Salt versions:
- 3002
- 3001.1, 3001.2
- 3000.3, 3000.4
- 2019.2.5, 2019.2.6
- 2018.3.5
- 2017.7.4, 2017.7.8
- 2016.11.3, 2016.11.6, 2016.11.10
- 2016.3.4, 2016.3.6, 2016.3.8
- 2015.8.10, 2015.8.13
Rapid7 analysis
None of the CVEs have a severity rating associated with them, but it hardly matters much what the eventual severity ratings turn out to be. Pre-authenticated remote root is the gold-medal standard for attackers, and it took Rapid7 researchers a mere 15 minutes and a single HTTP request to get there. CVE-2020-11651, another Salt vulnerability from April 2020, was exploited quickly by threat actors. We expect CVEs 2020-16846 and 2020-25592 to follow that same path.
Guidance
SaltStack customers should patch as quickly as possible, prioritizing these vulnerabilities above other tasks—if at all possible, please don’t wait for your typical patch cycle to apply SaltStack security updates. There are no known mitigations or workarounds as of November 9, 2020.
References
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: