Last week a critical vulnerability was discovered affecting Salt Master versions 2019.2.3 and 3000.1 and earlier. SaltStack customers and Salt users who have followed fundamental internet security guidelines and best practices are not affected by this vulnerability. The vulnerability is easily exploitable if a Salt Master is exposed to the open internet.
A scan by the security firm that identified the vulnerability found approximately 6000 Salt Masters exposed to the Internet and vulnerable. These systems in particular, and all Salt environments must be hardened and updated immediately.
Upon learning of the CVE, SaltStack took immediate action to develop and publish patches, and to communicate update instructions to our customers and users. Although there was no initial evidence the CVE had been exploited, we have confirmed that some vulnerable, unpatched systems have been accessed by unauthorized users since the release of the patches.
Again, we urge all Salt users to immediately patch all Salt Masters and follow our guidance to remediate this critical vulnerability. We also highly recommend all Salt users follow best practices for Salt environment hardening and security.
As the primary maintainers of the Salt open source software project we are committed to working with our customers and users to keep the SaltStack automation platform, and the infrastructure it is used to manage, completely secure.
As always, please follow our guidance and secure your Salt infrastructure with the best practices found in this guide: Hardening your Salt Environment.
This vulnerability has been rated as critical with a Common Vulnerability Scoring System (CVSS) score of 10.0. Resolving the vulnerability simply requires updating and restarting the Salt Master with the CVE Release Package.
In response to CVE-2020-11651 and CVE-2020-11652, SaltStack has made updates available to resolve the issue. We consider this CVE to be critical and ask all SaltStack customers and Salt users to prioritize the update using one of the update paths provided below.
If you are running the latest supported versions of Salt (3000.x and 2019.x):
Visit https://repo.saltstack.com to download and install the new CVE release package. Instructions are provided to configure your operating system’s package manager for the latest Salt version, or you have the option to download the latest Salt package directly as a Python Module here:
Salt 3000 - https://pypi.python.org/pypi/salt/3000.2
Salt 2019 - https://pypi.python.org/pypi/salt/2019.2.4
If you are running an earlier version of Salt:
If you are on an earlier, unsupported version of Salt we strongly recommend you update your Salt Masters to the 2019.2.4 release or the 3000.2 release.
If you are not able to upgrade to the latest supported version of Salt immediately, patches for Salt 2015.8.x, 2016.3.x, 2016.11.x, 2017.7.x and 2018.3.x are available via the SaltStack Enterprise Knowledge Base.
CVE Patch for older Salt releases -
Instructions to update the Salt Master -
If you are unable to access the Knowledge Base and don't have access. Please complete the following form and we will directly supply the patches to you: https://www.saltstack.com/lp/request-patch-april-2020
The Salt core engineering team