CVE-2020-11651
published 2020-04-30CVE-2020-11651: An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
96.41%
99.9th percentile
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| cisco | products | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| opensuse | leap | — | — |
| saltstack | salt | < 2019.2.4 | 2019.2.4 |
| saltstack | salt | >= 0 < 2019.2.4 | 2019.2.4 |
| saltstack | salt | >= 0 < 2015.8.8+ds-1ubuntu0.1 | 2015.8.8+ds-1ubuntu0.1 |
| saltstack | salt | >= 0 < 2017.7.4+dfsg1-1ubuntu18.04.2 | 2017.7.4+dfsg1-1ubuntu18.04.2 |
| saltstack | salt | >= 0 < 0.17.5+ds-1ubuntu0.1~esm2 | 0.17.5+ds-1ubuntu0.1~esm2 |
| saltstack | salt | >= 3000 < 3000.2 | 3000.2 |
| saltstack | salt | >= 3000 < 3000.2 | 3000.2 |
| vmware | application_remote_collector | — | — |
| vmware | application_remote_collector | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x3330dddf
- →Post-exploitation, watch for unexpected cryptocurrency mining activity (CPU spikes) on salt-master and minion systems, as observed in the Ghost platform breach. ↗
- →DreamBus modules masquerade as the legitimate 'tracepath' process; alert on processes named 'tracepath' that initiate network connections to TOR or anonymous file-sharing services. ↗
- →DreamBus uses cURL with a single hyphen (-) as the HTTP User-Agent; alert on HTTP requests with this user agent string, especially to TOR or oshi[.]at endpoints. ↗
- →DreamBus creates lock files named '22' and '01' under /tmp/.X11-unix/; presence of these files on a Linux server may indicate active DreamBus infection. ↗
- →The Coinminer.Linux.MALXMR.SMDSL64 malware family is known to exploit CVE-2020-11651; detections of this family should be correlated with SaltStack exposure. ↗
- ·All Salt versions prior to 2019.2.4 and 3000.2 are vulnerable; patched versions 2019.2.4 and 3000.2 were released on April 29, 2020. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_cisco9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
salt vulnerabilities
osv·2024-06-25·CVSS 9.8
CVE-2020-11651 [CRITICAL] salt vulnerabilities
salt vulnerabilities
It was discovered that Salt incorrectly validated method calls and
sanitized paths. A remote attacker could possibly use this issue to access
some methods without authentication. (CVE-2020-11651, CVE-2020-11652)
OSV
SaltStack Salt Unauthenticated Remote Code Execution
osv·2022-05-24
CVE-2020-11651 [CRITICAL] SaltStack Salt Unauthenticated Remote Code Execution
SaltStack Salt Unauthenticated Remote Code Execution
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
GHSA
SaltStack Salt Unauthenticated Remote Code Execution
ghsa·2022-05-24
CVE-2020-11651 [CRITICAL] CWE-20 SaltStack Salt Unauthenticated Remote Code Execution
SaltStack Salt Unauthenticated Remote Code Execution
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
OSV
salt vulnerabilities
osv·2020-08-13·CVSS 5.3
CVE-2018-15750 [MEDIUM] salt vulnerabilities
salt vulnerabilities
It was discovered that Salt allows remote attackers to determine which files
exist on the server. An attacker could use that to extract sensitive
information. (CVE-2018-15750)
It was discovered that Salt has a vulnerability that allows an user to bypass
authentication. An attacker could use that to extract sensitive information,
execute abritrary code or crash the server. (CVE-2018-15751)
It was discovered that Salt is vulnerable to command injection. This allows
an unauthenticated attacker with network access to the API endpoint to
execute arbitrary code on the salt-api host. (CVE-2019-17361)
It was discovered that Salt incorrectly validated method calls and
sanitized paths. A remote attacker could possibly use this issue to access
some methods without authenticat
OSV
CVE-2020-11651: An issue was discovered in SaltStack Salt before 2019
osv·2020-04-30
CVE-2020-11651 CVE-2020-11651: An issue was discovered in SaltStack Salt before 2019
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
VulnCheck
SaltStack Salt Authentication Bypass Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-11651 [CRITICAL] SaltStack Salt Authentication Bypass Vulnerability
SaltStack Salt Authentication Bypass Vulnerability
SaltStack Salt contains an authentication bypass vulnerability in the salt-master process ClearFuncs due to improperly validating method calls. The vulnerability allows a remote user to access some methods without authentication, which can be used to retrieve user tokens from the salt master and/or run commands on salt minions. Salt users who follow fundamental internet security guidelines and best practices are not affected by this vulnerability.
Affected: SaltStack Salt
Required Action: Apply updates per vendor instructions.
Exploitation References: https://redcanary.com/blog/kinsing-malware-citrix-saltstack/; https://www.zscaler.com/blogs/security-research/dreambus-botnet-technical-analysis; https://www.cisa.gov/sites/default/files/
Ubuntu
Salt vulnerabilities
vendor_ubuntu·2024-06-25·CVSS 9.8
CVE-2020-11652 [CRITICAL] Salt vulnerabilities
Title: Salt vulnerabilities
Summary: Several security issues were fixed in Salt.
It was discovered that Salt incorrectly validated method calls and
sanitized paths. A remote attacker could possibly use this issue to access
some methods without authentication. (CVE-2020-11651, CVE-2020-11652)
Instructions: After a standard system update you need to restart Salt to make all the
necessary changes.
CISA
SaltStack Salt Authentication Bypass Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2020-11651 [CRITICAL] SaltStack Salt Authentication Bypass Vulnerability
Vulnerability: SaltStack Salt Authentication Bypass Vulnerability
Affected: SaltStack Salt
SaltStack Salt contains an authentication bypass vulnerability in the salt-master process ClearFuncs due to improperly validating method calls. The vulnerability allows a remote user to access some methods without authentication, which can be used to retrieve user tokens from the salt master and/or run commands on salt minions. Salt users who follow fundamental internet security guidelines and best practices are not affected by this vulnerability.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-11651
Remediation Due Date: 2022-05-03
Ubuntu
Salt vulnerabilities
vendor_ubuntu·2020-08-13·CVSS 5.3
CVE-2018-15750 [MEDIUM] Salt vulnerabilities
Title: Salt vulnerabilities
Summary: Several security issues were fixed in Salt.
It was discovered that Salt allows remote attackers to determine which files
exist on the server. An attacker could use that to extract sensitive
information. (CVE-2018-15750)
It was discovered that Salt has a vulnerability that allows an user to bypass
authentication. An attacker could use that to extract sensitive information,
execute abritrary code or crash the server. (CVE-2018-15751)
It was discovered that Salt is vulnerable to command injection. This allows
an unauthenticated attacker with network access to the API endpoint to
execute arbitrary code on the salt-api host. (CVE-2019-17361)
It was discovered that Salt incorrectly validated method calls and
sanitized paths. A remote attacker could possi
Cisco
SaltStack FrameWork Vulnerabilities Affecting Cisco Products
vendor_cisco·2020-05-28·CVSS 9.8
CVE-2020-11651 [CRITICAL] CWE-20 SaltStack FrameWork Vulnerabilities Affecting Cisco Products
SaltStack FrameWork Vulnerabilities Affecting Cisco Products
On April 29, 2020, the Salt Open Core team notified their community regarding the following two CVE-IDs:
CVE-2020-11651: Authentication Bypass Vulnerability
CVE-2020-11652: Directory Traversal Vulnerability
Cisco Modeling Labs Corporate Edition (CML), Cisco TelePresence IX5000 Series, and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) incorporate a version of SaltStack that is running the salt-master service that is affected by these vulnerabilities.
Cisco has released software updates that address these vulnerabilities. There are workarounds that address these vulnerabilities.
This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa
VMware
vRealize Operations Application Remote Collector (ARC) addresses Authentication Bypass and Directory Traversal vulnerabilities (CVE-2020-11651, CVE-2020-11652)
vendor_vmware·2020-05-08·CVSS 9.8
CVE-2020-11651 [CRITICAL] vRealize Operations Application Remote Collector (ARC) addresses Authentication Bypass and Directory Traversal vulnerabilities (CVE-2020-11651, CVE-2020-11652)
VMSA-2020-0009: vRealize Operations Application Remote Collector (ARC) addresses Authentication Bypass and Directory Traversal vulnerabilities (CVE-2020-11651, CVE-2020-11652)
The Application Remote Collector (ARC) introduced with vRealize Operations 7.5 utilizes Salt which is affected by CVE-2020-11651 and CVE-2020-11652. VMware has evaluated CVE-2020-11651 (Authentication Bypass) to be in the Critical severity range with a maximum CVSSv3 base score of 10.0 and CVE-2020-11652 (Directory Traversal) to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
CVEs: CVE-2020-11651, CVE-2020-11652
Affected products: VMware Aria
Red Hat
salt: salt-master process ClearFuncs class does not properly validate method calls
vendor_redhat·2020-04-29·CVSS 9.8
CVE-2020-11651 [CRITICAL] CWE-20 salt: salt-master process ClearFuncs class does not properly validate method calls
salt: salt-master process ClearFuncs class does not properly validate method calls
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
An authentication bypass vulnerability was found in Salt, where it is susceptible to arbitrary code execution when processing unauthenticated requests by the ClearFuncs class. This flaw allows an attacker to execute arbitrary code on Salt minions as root.
Statement: Red Hat Ceph Storage 2 shipped salt for the usage of Red Hat Storage Console 2(RHSCON-2), wh
Cisco
SaltStack FrameWork Vulnerabilities Affecting Cisco Products
vendor_cisco·CVSS 3.1
CVE-2020-11652 SaltStack FrameWork Vulnerabilities Affecting Cisco Products
CVE-2020-11652: SaltStack FrameWork Vulnerabilities Affecting Cisco Products
On April 29, 2020, the Salt Open Core team notified their community regarding the following two CVE-IDs: CVE-2020-11651: Authentication Bypass Vulnerability CVE-2020-11652: Directory Traversal Vulnerability Cisco Modeling Labs Corporate Edition (CML), Cisco TelePresence IX5000 Series, and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) incorporate a version of SaltStack that is running the salt-master service that is affected by these vulnerabilities. Cisco has released software updates that address these vulnerabilities. There are
CVSS: 3.1
CWE: CWE-20, CWE-20
Bug IDs: CSCvu33581, CSCvu43116
Cisco
SaltStack FrameWork Vulnerabilities Affecting Cisco Products
vendor_cisco·CVSS 3.1
CVE-2020-11651 SaltStack FrameWork Vulnerabilities Affecting Cisco Products
CVE-2020-11651: SaltStack FrameWork Vulnerabilities Affecting Cisco Products
On April 29, 2020, the Salt Open Core team notified their community regarding the following two CVE-IDs: CVE-2020-11651: Authentication Bypass Vulnerability CVE-2020-11652: Directory Traversal Vulnerability Cisco Modeling Labs Corporate Edition (CML), Cisco TelePresence IX5000 Series, and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) incorporate a version of SaltStack that is running the salt-master service that is affected by these vulnerabilities. Cisco has released software updates that address these vulnerabilities. There are
CVSS: 3.1
CWE: CWE-20, CWE-20
Bug IDs: CSCvu33581, CSCvu43116
Suricata
ET EXPLOIT Possible Saltstack Authentication Bypass CVE-2020-11651 M1
suricata·2020-05-01·CVSS 9.8
CVE-2020-11651 [CRITICAL] ET EXPLOIT Possible Saltstack Authentication Bypass CVE-2020-11651 M1
ET EXPLOIT Possible Saltstack Authentication Bypass CVE-2020-11651 M1
Rule: alert tcp any any -> any 4506 (msg:"ET EXPLOIT Possible Saltstack Authentication Bypass CVE-2020-11651 M1"; flow:established,to_server; content:"_prep_auth_info"; reference:url,labs.f-secure.com/advisories/saltstack-authorization-bypass; reference:cve,2020-11651; classtype:attempted-admin; sid:2030071; rev:1; metadata:affected_product Linux, created_at 2020_05_01, cve CVE_2020_11651, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_05_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
Suricata
ET EXPLOIT Possible SaltStack Authentication Bypass CVE-2020-11651 M2
suricata·2020-05-01·CVSS 9.8
CVE-2020-11651 [CRITICAL] ET EXPLOIT Possible SaltStack Authentication Bypass CVE-2020-11651 M2
ET EXPLOIT Possible SaltStack Authentication Bypass CVE-2020-11651 M2
Rule: alert tcp any any -> any 4506 (msg:"ET EXPLOIT Possible SaltStack Authentication Bypass CVE-2020-11651 M2"; flow:established,to_server; content:"_send_pub"; reference:url,labs.f-secure.com/advisories/saltstack-authorization-bypass; reference:cve,2020-11651; classtype:attempted-admin; sid:2030072; rev:1; metadata:affected_product Linux, created_at 2020_05_01, cve CVE_2020_11651, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_05_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
Exploit-DB
Saltstack 3000.1 - Remote Code Execution
exploitdb·2020-05-05·CVSS 9.8
CVE-2020-11652 [CRITICAL] Saltstack 3000.1 - Remote Code Execution
Saltstack 3000.1 - Remote Code Execution
---
# Exploit Title: Saltstack 3000.1 - Remote Code Execution
# Date: 2020-05-04
# Exploit Author: Jasper Lievisse Adriaanse
# Vendor Homepage: https://www.saltstack.com/
# Version: < 3000.2, < 2019.2.4, 2017.*, 2018.*
# Tested on: Debian 10 with Salt 2019.2.0
# CVE : CVE-2020-11651 and CVE-2020-11652
# Discription: Saltstack authentication bypass/remote code execution
#
# Source: https://github.com/jasperla/CVE-2020-11651-poc
# This exploit is based on this checker script:
# https://github.com/rossengeorgiev/salt-security-backports
#!/usr/bin/env python
#
# Exploit for CVE-2020-11651 and CVE-2020-11652
# Written by Jasper Lievisse Adriaanse (https://github.com/jasperla/CVE-2020-11651-poc)
# This exploit is based on this checker script:
# https:/
Metasploit
SaltStack Salt Master/Minion Unauthenticated RCE
metasploit
SaltStack Salt Master/Minion Unauthenticated RCE
SaltStack Salt Master/Minion Unauthenticated RCE
This module exploits unauthenticated access to the runner() and _send_pub() methods in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to execute code as root on either the master or on select minions. VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2, 1.3, 1.5, and 1.6 in certain configurations, are known to be affected by the Salt vulnerabilities. Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhub's Docker image.
Metasploit
SaltStack Salt Master Server Root Key Disclosure
metasploit
SaltStack Salt Master Server Root Key Disclosure
SaltStack Salt Master Server Root Key Disclosure
This module exploits unauthenticated access to the _prep_auth_info() method in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the root key used to authenticate administrative commands to the master. VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2, 1.3, 1.5, and 1.6 in certain configurations, are known to be affected by the Salt vulnerabilities. Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhub's Docker image.
Trendmicro
Bedrohungen sowie Schutz für Linux-Umgebungen, Teil 2
blogs_trendmicro·2021-02-03
Bedrohungen sowie Schutz für Linux-Umgebungen, Teil 2
Cyberbedrohungen
## Bedrohungen sowie Schutz für Linux-Umgebungen, Teil 2
Cyberkriminelle richten ihre Aufmerksamkeit und Ressourcen auf Linux-Zielumgebungen mit ihren entsprechenden Schwachpunkten. Welches sind die größten Risiken für diese Plattformen?
By: Magno Logan Feb 03, 2021 Read time: ( words)
Save to Folio
Originalartikel von Magno Logan, Pawan Kinger
Wie jede andere Software ist auch Linux nicht frei von sicherheitsrelevanten Bedrohungen und Risiken. Doch da Linux mittlerweile als eines der mächtigsten Betriebssysteme auf Cloud-Plattformen und Servern weltweit vorherrschend ist, haben die Risiken, die durch die Bedrohungen entstehen, einen anderen Stellenwert als noch vor Jahren. Im ersten Teil des Beitrags wurden die Probleme mit Schwachstellen, Fehlkonfigurationen und de
Zscaler
Malware Analysis of the DreamBus Botnet | Zscaler Blog
blogs_zscaler·2021-01-22
Malware Analysis of the DreamBus Botnet | Zscaler Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Tenable
CVE-2020-16846, CVE-2020-25592: Critical Vulnerabilities in Salt Framework Disclosed
blogs_tenable·2020-11-04·CVSS 9.8
[CRITICAL] CVE-2020-16846, CVE-2020-25592: Critical Vulnerabilities in Salt Framework Disclosed
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
Infrastructure as Code: Die Sicherheitsrisiken
blogs_trendmicro·2020-07-21
Infrastructure as Code: Die Sicherheitsrisiken
Cyberbedrohungen
## Infrastructure as Code: Die Sicherheitsrisiken
Ständig steigende Anforderungen an IT-Infrastrukturen und die Zunahme von CI/CD-Pipelines haben den Bedarf an konsistenter und skalierbarer Automatisierung erhöht. Hier bietet sich Infrastruktur als Code an.
By: David Fiser Jul 21, 2020 Read time: ( words)
Save to Folio
Originalbeitrag von David Fiser (Cyber Threat Researcher)
Ständig steigende Anforderungen an IT-Infrastrukturen und die Zunahme von Continuous Integration and Continuous Deployment (CI/CD)-Pipelines haben den Bedarf an konsistenter und skalierbarer Automatisierung erhöht. Hier bietet sich Infrastruktur als Code (IaC) an. IaC liefert die Bereitstellung, Konfiguration und Verwaltung der Infrastruktur durch formatierte, maschinenlesbare Dateien. Anstelle
Checkpoint
1st June – Threat Intelligence Bulletin
blogs_checkpoint·2020-06-01·CVSS 9.8
CVE-2019-10149 [CRITICAL] 1st June – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 1st June – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 1st June 2020, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
The US NSA has warned that Russia’s Sandworm APT group, an arm of Russian military intelligence, has been exploiting a vulnerability in the Exim mail traffic agent since August of last year, giving it remote code execution abilities. Sandworm is believed to have been responsible for the Ukraine grid disruptions in 2015.
C
Checkpoint
11th May – Threat Intelligence Bulletin
blogs_checkpoint·2020-05-11
CVE-2020-8899 11th May – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th May – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 11th May 2020, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research have discovered an ongoing cyber espionage operation against government entities in the Asia Pacific (APAC) region. The operation is attributed to the Naikon APT group, using a backdoor dubbed Aria-body to take control of the victims’ networks. One of the attack vectors was infecting a foreign embassy
Tenable
CVE-2020-11651, CVE-2020-11652: Critical Salt Framework Vulnerabilities Exploited in the Wild
blogs_tenable·2020-05-03·CVSS 9.8
[CRITICAL] CVE-2020-11651, CVE-2020-11652: Critical Salt Framework Vulnerabilities Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bugzilla
CVE-2020-11651 salt: salt-master process ClearFuncs class does not properly validate method calls [epel-all]
bugzilla·2020-05-06·CVSS 9.8
CVE-2020-11651 [CRITICAL] CVE-2020-11651 salt: salt-master process ClearFuncs class does not properly validate method calls [epel-all]
CVE-2020-11651 salt: salt-master process ClearFuncs class does not properly validate method calls [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affect
Bugzilla
CVE-2020-11651 salt: salt-master process ClearFuncs class does not properly validate method calls
bugzilla·2020-05-06·CVSS 9.8
CVE-2020-11651 [CRITICAL] CVE-2020-11651 salt: salt-master process ClearFuncs class does not properly validate method calls
CVE-2020-11651 salt: salt-master process ClearFuncs class does not properly validate method calls
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
References:
https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html
https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst
Discussion:
Created salt tracking bugs for this issue:
Affects: epel-all [bug 1832475]
Affects: fedora-all [bug 1832476]
---
Statement:
Red Hat Ceph Storage 2 shipped salt for t
Bugzilla
CVE-2020-11651 salt: salt-master process ClearFuncs class does not properly validate method calls [fedora-all]
bugzilla·2020-05-06·CVSS 9.8
CVE-2020-11651 [CRITICAL] CVE-2020-11651 salt: salt-master process ClearFuncs class does not properly validate method calls [fedora-all]
CVE-2020-11651 salt: salt-master process ClearFuncs class does not properly validate method calls [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue af
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00070.htmlhttp://packetstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.htmlhttp://www.vmware.com/security/advisories/VMSA-2020-0009.htmlhttps://docs.saltstack.com/en/latest/topics/releases/2019.2.4.htmlhttps://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rsthttps://lists.debian.org/debian-lts-announce/2020/05/msg00027.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AGhttps://usn.ubuntu.com/4459-1/https://www.debian.org/security/2020/dsa-4676http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00070.htmlhttp://packetstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.htmlhttp://www.vmware.com/security/advisories/VMSA-2020-0009.htmlhttps://docs.saltstack.com/en/latest/topics/releases/2019.2.4.htmlhttps://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rsthttps://lists.debian.org/debian-lts-announce/2020/05/msg00027.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AGhttps://usn.ubuntu.com/4459-1/https://www.debian.org/security/2020/dsa-4676https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11651
2020-04-30
Published
2021-11-03
Added to CISA KEV
Exploited in the wild