CVE-2020-11651
Published: 30 April 2020
Summary
CVE-2020-11651 is a critical-severity an unspecified weakness vulnerability in Debian Debian Linux. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2020-11651 is an authentication bypass flaw in SaltStack Salt versions before 2019.2.4 and 3000 before 3000.2. It exists in the salt-master process ClearFuncs class, which does not properly validate method calls and thereby exposes certain methods to remote access without authentication.
An unauthenticated remote attacker can invoke the exposed methods to retrieve user tokens stored on the salt master or to execute arbitrary commands on connected salt minions. The issue carries a CVSS 3.1 base score of 9.8 reflecting network-accessible attack complexity with high impact to confidentiality, integrity, and availability.
Publicly referenced advisories, including those from openSUSE and VMware, and exploit artifacts on PacketStormSecurity indicate that the primary mitigation is to upgrade affected Salt installations to the fixed releases 2019.2.4 or 3000.2. Proof-of-concept code demonstrating unauthenticated remote code execution against both masters and minions has been published.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-0171
Vulnerability details
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used…
more
to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks on method calls to the ClearFuncs class, blocking the unauthenticated remote access that enables token theft and command execution.
Requires timely application of vendor patches that close the ClearFuncs validation flaw in versions before 2019.2.4/3000.2.
Mandates identification and authentication of users before any access to salt-master methods, eliminating the bypass that allows unauthenticated token retrieval and RCE on minions.