Attacker Value
Very High
4

CVE-2020-11651

Disclosure Date: April 30, 2020

Exploitability

(4 users assessed) High
Attack Vector
Network
Privileges Required
None
User Interaction
None

Description

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

Add Assessment

5
Ratings
Technical Analysis

Nothing to add to the technical analysis by the others.

Dropping by to note that:

4
Technical Analysis

Version 2019.2.3 or less is vulnerable. Easy to exploit.
“Exploitation

We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours. Due to reliability and simplicity of exploitation, F-Secure will not be providing proof-of-concept exploit code as this would only harm any users who are slow to patch. In this case, we will leave exploitation as an exercise for the reader.”
https://labs.f-secure.com/advisories/saltstack-authorization-bypass

Testcase to be able to reverse and develop exploit for this RCE
https://github.com/saltstack/salt/blob/3d99b108c58ebaa174967d898a27764f416a8ec1/tests/integration/master/test_clear_funcs.py

Technical Analysis