cbcvebase.
CVE-2020-11652
published 2020-04-30

CVE-2020-11652: An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that…

PriorityP183medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
86.06%
99.7th percentile
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.

Affected

19 ranges
VendorProductVersion rangeFixed in
blackberryworkspaces_server<= 7.1.3
blackberryworkspaces_server
blackberryworkspaces_server8.0.0 – 8.2.6
canonicalubuntu_linux
canonicalubuntu_linux
ciscoproducts
debiandebian_linux
debiandebian_linux
debiandebian_linux
opensuseleap
saltstacksalt< 2019.2.42019.2.4
saltstacksalt>= 0 < 2019.2.42019.2.4
saltstacksalt>= 0 < 2015.8.8+ds-1ubuntu0.12015.8.8+ds-1ubuntu0.1
saltstacksalt>= 0 < 2017.7.4+dfsg1-1ubuntu18.04.22017.7.4+dfsg1-1ubuntu18.04.2
saltstacksalt>= 0 < 0.17.5+ds-1ubuntu0.1~esm20.17.5+ds-1ubuntu0.1~esm2
saltstacksalt>= 3000 < 3000.23000.2
saltstacksalt>= 3000 < 3000.23000.2
vmwareapplication_remote_collector
vmwareapplication_remote_collector

Detection & IOCsextracted from sources · hover to see the quote

  • Post-exploitation activity observed in the wild included cryptocurrency mining attempts, evidenced by CPU usage spikes. Monitor salt-master hosts for unexpected CPU spikes and cryptominer process execution.
  • The Coinminer.Linux.MALXMR.SMDSL64 malware family was observed exploiting CVE-2020-11652 (SaltStack Directory Traversal). Hunt for this malware family on Linux systems running SaltStack.
  • Check Point IPS signature 'Saltstack Salt Authentication Bypass (CVE-2020-11651)' also covers the attack chain that enables CVE-2020-11652 exploitation. Ensure IPS rules covering both CVEs are deployed on network perimeters protecting Salt masters.
  • ·All Salt versions prior to 2019.2.4 and 3000.2 are vulnerable. Patched versions 2019.2.4 and 3000.2 were released on April 29, 2020. Verify Salt version on all masters and minions.
  • ·The vulnerability is exploitable by a remote, unauthenticated attacker — no credentials are required to trigger the directory traversal via the wheel module's get_token() method.
  • ·Multiple public proof-of-concept exploit scripts were published to GitHub shortly after disclosure. Assume reliable exploitation capability is widely available.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv9.8CRITICAL
vulncheck6.5MEDIUM
cisa6.5MEDIUM
vendor_cisco9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.