CVE-2020-11651

CVSS 9.8 CRITICALEPSS 96.4%● KEV

Vexday Risk Score

100Fix now

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 9.8EPSS 96.4%KEV simPoC públicaNuclei —Metasploit simPatch referenciado

Lifecycle

30 Apr 2020Metasploit module available

30 Apr 2020Published on NVD

01 May 2020Public PoC

03 Nov 2021Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

SaltStack Salt's master process fails to properly check who is calling certain functions, allowing remote attackers to access it without a password. This can be used to steal authentication tokens or run harmful commands on connected servers.

Technical detail

The ClearFuncs class in salt-master lacks proper authentication validation for method invocations, enabling unauthenticated remote access to sensitive functions. An attacker can exploit this to exfiltrate user tokens and execute arbitrary code on salt minions via the exposed API surface.

Summary generated and translated by AI from the official description.

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

public PoCs found — 17

githubgithub.com/jasperla/CVE-2020-11651-poc★ 122 githubgithub.com/rossengeorgiev/salt-security-backports★ 108 githubgithub.com/dozernz/cve-2020-11651★ 106 githubgithub.com/0xc0d/CVE-2020-11651★ 40 githubgithub.com/ssrsec/CVE-2020-11651-CVE-2020-11652-EXP★ 24 githubgithub.com/kevthehermit/CVE-2020-11651★ 6 githubgithub.com/chef-cft/salt-vulnerabilities★ 6 githubgithub.com/bravery9/SaltStack-Exp★ 5 githubgithub.com/lovelyjuice/cve-2020-11651-exp-plus★ 5 githubgithub.com/Drew-Alleman/CVE-2020-11651★ 1 githubgithub.com/appcheck-ng/salt-rce-scanner-CVE-2020-11651-CVE-2020-11652★ 1 githubgithub.com/RakhithJK/CVE-2020-11651★ 0 githubgithub.com/hardsoftsecurity/CVE-2020-11651-PoC★ 0 githubgithub.com/s1lentf00thold/CVE-2020-11651-Poc★ 0 exploitdbwww.exploit-db.com/exploits/48421unverified cve_referencepacketstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.htmlunverified cve_referencepacketstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.htmlunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00070.html http://packetstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.html http://packetstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.html https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst https://lists.debian.org/debian-lts-announce/2020/05/msg00027.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG https://usn.ubuntu.com/4459-1/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11651 https://www.debian.org/security/2020/dsa-4676 http://www.vmware.com/security/advisories/VMSA-2020-0009.html