cbcvebase.
CVE-2020-11651
published 2020-04-30

CVE-2020-11651: An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
96.41%
99.9th percentile
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

Affected

16 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
ciscoproducts
debiandebian_linux
debiandebian_linux
debiandebian_linux
opensuseleap
saltstacksalt< 2019.2.42019.2.4
saltstacksalt>= 0 < 2019.2.42019.2.4
saltstacksalt>= 0 < 2015.8.8+ds-1ubuntu0.12015.8.8+ds-1ubuntu0.1
saltstacksalt>= 0 < 2017.7.4+dfsg1-1ubuntu18.04.22017.7.4+dfsg1-1ubuntu18.04.2
saltstacksalt>= 0 < 0.17.5+ds-1ubuntu0.1~esm20.17.5+ds-1ubuntu0.1~esm2
saltstacksalt>= 3000 < 3000.23000.2
saltstacksalt>= 3000 < 3000.23000.2
vmwareapplication_remote_collector
vmwareapplication_remote_collector

Detection & IOCsextracted from sources · hover to see the quote

domaindreambusweduybcp[.]onion
domainoshi[.]at
path/tmp/.X11-unix/
ua-
processtracepath
bytes
0x3330dddf
  • Post-exploitation, watch for unexpected cryptocurrency mining activity (CPU spikes) on salt-master and minion systems, as observed in the Ghost platform breach.
  • DreamBus modules masquerade as the legitimate 'tracepath' process; alert on processes named 'tracepath' that initiate network connections to TOR or anonymous file-sharing services.
  • DreamBus uses cURL with a single hyphen (-) as the HTTP User-Agent; alert on HTTP requests with this user agent string, especially to TOR or oshi[.]at endpoints.
  • DreamBus creates lock files named '22' and '01' under /tmp/.X11-unix/; presence of these files on a Linux server may indicate active DreamBus infection.
  • The Coinminer.Linux.MALXMR.SMDSL64 malware family is known to exploit CVE-2020-11651; detections of this family should be correlated with SaltStack exposure.
  • ·All Salt versions prior to 2019.2.4 and 3000.2 are vulnerable; patched versions 2019.2.4 and 3000.2 were released on April 29, 2020.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_cisco9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.