CVE-2019-17361
📋 TL;DR
This vulnerability allows unauthenticated attackers with network access to the SaltStack Salt API endpoint to execute arbitrary commands on the salt-api host through command injection in the NET API with SSH client enabled. It affects all SaltStack Salt deployments through version 2019.2.0 where salt-api is exposed. Organizations using vulnerable SaltStack versions with salt-api accessible are at risk.
💻 Affected Systems
- SaltStack Salt
📦 What is this software?
Leap by Opensuse
Salt by Saltstack
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the salt-api host leading to lateral movement across the entire Salt infrastructure, data exfiltration, and persistent backdoor installation.
Likely Case
Remote code execution on salt-api servers allowing attackers to steal credentials, manipulate Salt minions, and disrupt infrastructure management.
If Mitigated
Limited impact if salt-api is not exposed or SSH client functionality is disabled in NET API configuration.
🎯 Exploit Status
Exploitation is straightforward with publicly available proof-of-concept code. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2019.2.3 and later
Vendor Advisory: https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fix
Restart Required: Yes
Instructions:
1. Upgrade SaltStack to version 2019.2.3 or later. 2. Stop salt-api service. 3. Install updated packages. 4. Restart salt-api service. 5. Verify the fix is applied.
🔧 Temporary Workarounds
Disable SSH client in NET API
linuxRemove SSH client functionality from salt-api NET API configuration
Edit /etc/salt/master.d/api.conf or equivalent and remove or comment out ssh_client configuration
Restart salt-api: systemctl restart salt-api
Restrict network access
allLimit salt-api access to trusted networks only
Configure firewall rules to restrict access to salt-api port (default 8000)
Use network segmentation to isolate salt-api
🧯 If You Can't Patch
- Immediately disable salt-api service if not required
- Implement strict network access controls to limit salt-api exposure to minimal necessary sources
🔍 How to Verify
Check if Vulnerable:
Check Salt version: salt --version. If version is 2019.2.0 or earlier and salt-api is running with NET API SSH client enabled, system is vulnerable.Check Version:
salt --versionVerify Fix Applied:
Verify Salt version is 2019.2.3 or later: salt --version. Check that salt-api service is running with updated configuration.📡 Detection & Monitoring
Log Indicators:
- Unusual SSH client commands in salt-api logs
- Unexpected process execution from salt-api user
- Failed authentication attempts to salt-api NET API
Network Indicators:
- Unusual outbound connections from salt-api host
- SSH traffic from salt-api to unexpected destinations
- Multiple rapid requests to salt-api NET API endpoint
SIEM Query:
source="salt-api" AND ("ssh_client" OR "NET API") AND (command="*" OR exec="*")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00026.html
- https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fix
- https://github.com/saltstack/salt/commits/master
- https://usn.ubuntu.com/4459-1/
- https://www.debian.org/security/2020/dsa-4676
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00026.html
- https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fix
- https://github.com/saltstack/salt/commits/master
- https://usn.ubuntu.com/4459-1/
- https://www.debian.org/security/2020/dsa-4676
