CVE-2020-11651

Scores

EPSS Score

0.9439

CVSS

3.x 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

All CVSS Scores

CVSS 4.0

0.0

CVSS 3.x

9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Description

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

Sources

debiannvdubuntu

CWEs

CWE-20

Related Vulnerabilities

BDU:2020-03941

Exploits

Exploit ID: 48421

Source: exploitdb

URL: https://www.exploit-db.com/exploits/48421

Exploit ID: CVE-2020-11651

Source: github-poc

URL: https://github.com/Drew-Alleman/CVE-2020-11651

Reference Links

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00070.html

http://packetstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.html

http://packetstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.html

http://www.vmware.com/security/advisories/VMSA-2020-0009.html

https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html

https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst

https://lists.debian.org/debian-lts-announce/2020/05/msg00027.html

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG

https://usn.ubuntu.com/4459-1/

https://www.debian.org/security/2020/dsa-4676

https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html

https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html

https://ubuntu.com/security/notices/USN-4459-1

https://www.cve.org/CVERecord?id=CVE-2020-11651

https://ubuntu.com/security/notices/USN-6849-1

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

https://www.cve.org/CVERecord?id=CVE-2020-11651 https://nvd.nist.gov/vuln/detail/CVE-2020-11651 https://docs.saltstack.com/en/latest/topics/releases/3000.2.html https://labs.f-secure.com/advisories/saltstack-authorization-bypass https://www.cisa.gov/known-exploited-vulnerabilities-catalog

https://bugzilla.redhat.com/show_bug.cgi?id=1832474

Vulnerable Software

Type: Configuration

Product: salt

Operating System: ubuntu bionic 18.04

Trait:

{
  "fixed": "2017.7.4+dfsg1-1ubuntu18.04.2"
}

Source: ubuntu

Type: Configuration

Product: salt

Operating System: ubuntu eoan 19.10

Trait:

{
  "unfixed": true
}

Source: ubuntu

Type: Configuration

Product: salt

Operating System: ubuntu jammy 22.04

Trait:

{
  "unaffected": true
}

Source: ubuntu

Type: Configuration

Product: salt

Operating System: ubuntu kinetic 22.10

Trait:

{
  "unaffected": true
}

Source: ubuntu

Type: Configuration

Product: salt

Operating System: ubuntu trusty 14.04

Trait:

{
  "unfixed": true
}

Source: ubuntu

Type: Configuration

Product: salt

Operating System: ubuntu xenial 16.04

Trait:

{
  "fixed": "2015.8.8+ds-1ubuntu0.1"
}

Source: ubuntu

Type: Configuration

Product: salt

Operating System: debian

Trait:

{
  "fixed": "3000.2+dfsg1-1"
}

Source: debian

Type: Configuration

Vendor: canonical

Product: ubuntu_linux

Operating System: * * *

Trait:

{
  "cpe_match": [
    {
      "cpe23uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
      "vulnerable": true
    }
  ],
  "operator": "OR"
}

Source: nvd

Type: Configuration

Vendor: debian

Product: debian_linux

Operating System: * * *

Trait:

{
  "cpe_match": [
    {
      "cpe23uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
      "vulnerable": true
    }
  ],
  "operator": "OR"
}

Source: nvd

Type: Configuration

Vendor: opensuse

Product: leap

Operating System: * * *

Trait:

{
  "cpe_match": [
    {
      "cpe23uri": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
      "vulnerable": true
    }
  ],
  "operator": "OR"
}

Source: nvd

Type: Configuration

Vendor: saltstack

Product: salt

Operating System: * * *

Trait:

{
  "cpe_match": [
    {
      "cpe23uri": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
      "versionEndExcluding": "2019.2.4",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
      "versionEndExcluding": "3000.2",
      "versionStartIncluding": "3000",
      "vulnerable": true
    }
  ],
  "operator": "OR"
}

Source: nvd

Type: Configuration

Vendor: vmware

Product: application_remote_collector

Operating System: * * *

Trait:

{
  "cpe_match": [
    {
      "cpe23uri": "cpe:2.3:a:vmware:application_remote_collector:7.5.0:*:*:*:*:*:*:*",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:a:vmware:application_remote_collector:8.0.0:*:*:*:*:*:*:*",
      "vulnerable": true
    }
  ],
  "operator": "OR"
}

Source: nvd