CVE-2021-25281
published 2021-02-27CVE-2021-25281: An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
72.95%
99.4th percentile
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
Affected
46 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| saltstack | salt | < 2015.8.10 | 2015.8.10 |
| saltstack | salt | >= 0 < 2015.8.10 | 2015.8.10 |
| saltstack | salt | >= 0 < 2015.8.13 | 2015.8.13 |
| saltstack | salt | >= 0 < 2015.8.8+ds-1ubuntu0.1+esm2 | 2015.8.8+ds-1ubuntu0.1+esm2 |
| saltstack | salt | >= 0 < 2017.7.4+dfsg1-1ubuntu18.04.2+esm1 | 2017.7.4+dfsg1-1ubuntu18.04.2+esm1 |
| saltstack | salt | >= 2015.8.11 < 2015.8.13 | 2015.8.13 |
| saltstack | salt | >= 2015.8.11 < 2015.8.13 | 2015.8.13 |
| saltstack | salt | >= 2016.11.0 < 2016.11.3 | 2016.11.3 |
| saltstack | salt | >= 2016.11.4 < 2016.11.5 | 2016.11.5 |
| saltstack | salt | >= 2016.11.4 < 2016.11.5 | 2016.11.5 |
| saltstack | salt | >= 2016.11.7 < 2016.11.10 | 2016.11.10 |
| saltstack | salt | >= 2016.11.7 < 2016.11.10 | 2016.11.10 |
| saltstack | salt | >= 2016.3.0 < 2016.3.4 | 2016.3.4 |
| saltstack | salt | >= 2016.3.0 < 2016.3.4 | 2016.3.4 |
| saltstack | salt | >= 2016.3.0 < 2016.11.5 | 2016.11.5 |
| saltstack | salt | >= 2016.3.5 < 2016.3.6 | 2016.3.6 |
| saltstack | salt | >= 2016.3.5 < 2016.3.6 | 2016.3.6 |
| saltstack | salt | >= 2016.3.7 < 2016.3.8 | 2016.3.8 |
| saltstack | salt | >= 2016.3.7 < 2016.3.8 | 2016.3.8 |
Detection & IOCsextracted from sources · hover to see the quote
command{"client":"wheel_async","fun":"pillar_roots.write","data":"testing","path":"../../../../../../../tmp/testing","username":"1","password":"1","eauth":"pam"}↗
- →Detect unauthenticated POST requests to the Salt API /run endpoint using the wheel_async client — look for JSON body containing 'client':'wheel_async' with arbitrary/dummy eauth credentials. ↗
- →Successful exploitation returns a JSON response body containing all of: 'return', 'tag', 'jid', 'salt', and 'wheel' with HTTP 200 — use these as confirmation indicators. ↗
- →Monitor for directory traversal sequences (e.g., '../../../../../../../tmp/') in POST bodies to the Salt API /run endpoint, indicative of pillar_roots.write abuse to drop files outside the intended directory. ↗
- →Watch for new Python script files appearing in the Salt Extension Module grains directory on the master — the exploit drops a custom grain module there and waits up to 60 seconds for salt-master's maintenance loop to execute it. ↗
- →Alert on salt-master process spawning unexpected child processes (e.g., shells or reverse shells) approximately every 60 seconds, consistent with the maintenance loop_interval grain execution trigger. ↗
- ·The default grain execution interval is 60 seconds but is configurable — defenders should check the 'loop_interval' setting in the master config, as a lower value means faster payload execution after drop. ↗
- ·The vulnerability affects salt-api specifically; deployments that do not expose salt-api externally have a reduced attack surface, but the auth bypass still applies to any exposed instance before 3002.5/3001.6/3000.8. ↗
- ·Local execution of commands by an administrator on the master also triggers the maintenance process check, which could accelerate payload execution if an admin happens to run commands during an active attack. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
salt vulnerabilities
osv·2024-08-08·CVSS 9.8
CVE-2020-16846 [CRITICAL] salt vulnerabilities
salt vulnerabilities
It was discovered that Salt incorrectly handled crafted web requests.
A remote attacker could possibly use this issue to run arbitrary
commands. (CVE-2020-16846)
It was discovered that Salt incorrectly created certificates with weak
file permissions. (CVE-2020-17490)
It was discovered that Salt incorrectly handled credential validation.
A remote attacker could possibly use this issue to bypass authentication.
(CVE-2020-25592)
It was discovered that Salt incorrectly handled crafted process names.
An attacker could possibly use this issue to run arbitrary commands.
This issue only affected Ubuntu 18.04 LTS. (CVE-2020-28243)
It was discovered that Salt incorrectly handled validation of SSL/TLS
certificates. A remote attacker could possibly use this issue to spoof
a t
OSV
SaltStack Salt Improper Authentication vulnerability
osv·2022-05-24
CVE-2021-25281 [CRITICAL] SaltStack Salt Improper Authentication vulnerability
SaltStack Salt Improper Authentication vulnerability
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
GHSA
SaltStack Salt Improper Authentication vulnerability
ghsa·2022-05-24
CVE-2021-25281 [CRITICAL] CWE-287 SaltStack Salt Improper Authentication vulnerability
SaltStack Salt Improper Authentication vulnerability
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
OSV
CVE-2021-25281: An issue was discovered in through SaltStack Salt before 3002
osv·2021-02-27
CVE-2021-25281 CVE-2021-25281: An issue was discovered in through SaltStack Salt before 3002
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
VulnCheck
SaltStack Salt Improper Authentication
vulncheck·2021·CVSS 9.8
CVE-2021-25281 [CRITICAL] SaltStack Salt Improper Authentication
SaltStack Salt Improper Authentication
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
Affected: SaltStack Salt
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2021-25281
Ubuntu
Salt vulnerabilities
vendor_ubuntu·2024-08-08·CVSS 9.8
CVE-2020-16846 [CRITICAL] Salt vulnerabilities
Title: Salt vulnerabilities
Summary: Several security issues were fixed in Salt.
It was discovered that Salt incorrectly handled crafted web requests.
A remote attacker could possibly use this issue to run arbitrary
commands. (CVE-2020-16846)
It was discovered that Salt incorrectly created certificates with weak
file permissions. (CVE-2020-17490)
It was discovered that Salt incorrectly handled credential validation.
A remote attacker could possibly use this issue to bypass authentication.
(CVE-2020-25592)
It was discovered that Salt incorrectly handled crafted process names.
An attacker could possibly use this issue to run arbitrary commands.
This issue only affected Ubuntu 18.04 LTS. (CVE-2020-28243)
It was discovered that Salt incorrectly handled validation of SSL/TLS
certificates.
Red Hat
salt: API does not honor eAuth credentials for the wheel_async client
vendor_redhat·2021-02-25·CVSS 9.8
CVE-2021-25281 [CRITICAL] CWE-287 salt: API does not honor eAuth credentials for the wheel_async client
salt: API does not honor eAuth credentials for the wheel_async client
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
A flaw was found in Salt. The Salt-API does not have eAuth credentials for the wheel_async client. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Statement: Salt has been deprecated as of Red Hat Ceph Storage 2.5, as Salt was used to install RHSCON-2 and RHSCON-2 has reached End Of Life.
Package: salt (Red Hat Ceph Storage 2) - Will not fix
No detection rules found.
Metasploit
SaltStack Salt API Unauthenticated RCE through wheel_async client
metasploit
SaltStack Salt API Unauthenticated RCE through wheel_async client
SaltStack Salt API Unauthenticated RCE through wheel_async client
This module leverages an authentication bypass and directory traversal vulnerabilities in Saltstack Salt's REST API to execute commands remotely on the `master` as the root user. Every 60 seconds, `salt-master` service performs a maintenance process check that reloads and executes all the `grains` on the `master`, including custom grain modules in the Extension Module directory. So, this module simply creates a Python script at this location and waits for it to be executed. The time interval is set to 60 seconds by default but can be changed in the `master` configuration file with the `loop_interval` option. Note that, if an administrator executes commands locally on the `master`, the maintenance process check will also be
Nuclei
SaltStack Salt <3002.5 - Auth Bypass
nuclei·CVSS 9.8
CVE-2021-25281 [CRITICAL] SaltStack Salt <3002.5 - Auth Bypass
SaltStack Salt <3002.5 - Auth Bypass
SaltStack Salt before 3002.5 does not honor eauth credentials for the wheel_async client, allowing attackers to remotely run any wheel modules on the master.
Template:
id: CVE-2021-25281
info:
name: SaltStack Salt <3002.5 - Auth Bypass
author: madrobot
severity: critical
description: SaltStack Salt before 3002.5 does not honor eauth credentials for the wheel_async client, allowing attackers to remotely run any wheel modules on the master.
impact: |
Unauthenticated attackers can remotely execute any wheel modules on the Salt master by bypassing eauth credentials, leading to complete infrastructure compromise and control over all managed systems.
remediation: |
Upgrade to SaltStack Salt version 3002.5 or later to mitigate this vulnerability.
reference
No writeups or analysis indexed.
http://packetstormsecurity.com/files/162058/SaltStack-Salt-API-Unauthenticated-Remote-Command-Execution.htmlhttps://github.com/saltstack/salt/releaseshttps://lists.debian.org/debian-lts-announce/2021/11/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/https://security.gentoo.org/glsa/202103-01https://security.gentoo.org/glsa/202310-22https://www.debian.org/security/2021/dsa-5011https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/http://packetstormsecurity.com/files/162058/SaltStack-Salt-API-Unauthenticated-Remote-Command-Execution.htmlhttps://github.com/saltstack/salt/releaseshttps://lists.debian.org/debian-lts-announce/2021/11/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/https://security.gentoo.org/glsa/202103-01https://security.gentoo.org/glsa/202310-22https://www.debian.org/security/2021/dsa-5011https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/
2021-02-27
Published
Exploited in the wild