SaltStack FrameWork Vulnerabilities in Cisco Products

Advisory ID:
CVE-2020-11651, CVE-2020-11652
June 19, 2020


Researchers discovered numerous critical security vulnerabilities in SaltStack Salt framework – a configuration tool for cloud servers and data centers. Salt is used to monitor and update the state of servers. Each server runs an agent called a "minion" which connects to a "master", a Salt installation that collects state reports from minions and publishes update messages that minions can act on. The vulnerabilities allows attackers to bypass authentication and authorization for arbitrary code execution.

Description & Consequence

The vulnerabilities allow an attacker who can connect to the "request server" port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the "master" server filesystem and steal the secret key used to authenticate to the master as root. The impact is full remote command execution as root on both the master and all minions that connect to it. The vulnerabilities are of two different classes. One being authentication bypass where functionality was unintentionally exposed to unauthenticated network clients, the other being directory traversal where untrusted input (i.e. parameters in network requests) was not sanitized correctly allowing unconstrained access to the entire filesystem of the master server.

These vulnerabilities upon exploitation, could allow an attacker to remotely execute arbitrary code on a targeted system to cause denial of service attack.


  • SaltStack engineers patched these vulnerabilities in release 3000.2 and users of Salt are encouraged to make sure that their installs are configured to automatically pull updates from SaltStacks repository server, see for more information. A patch release for the previous major release version is also available, with version number 2019.2.4.
  • Adding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider Internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks.
  • For customers with standalone deployments who cannot migrate    to Cisco VIRL-PE Release 2.0, upgrades are available at
  • For customers with cluster mode deployments who are running Release 1.5 or Release 1.6, Cisco recommends upgrading to Release 1.6.67 through the UWM interface. Customers who are running Release 1.3 are advised to migrate to the latest 1.6 release.




Related Articles