CVE-2020-11651 – CVE-2020-11651 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2020-11651?

CVE-2020-11651 has a CVSS score of 9.8 (CRITICAL). CVE-2020-11651 is an authentication bypass vulnerability in SaltStack Salt that allows unauthenticated remote attackers to execute arbitrary commands on Salt minions and retrieve sensitive data from the Salt master. This affects Salt masters running vulnerable versions, potentially compromising entire infrastructure managed by Salt. Organizations using Salt for configuration management are at risk.

📋 TL;DR

CVE-2020-11651 is an authentication bypass vulnerability in SaltStack Salt that allows unauthenticated remote attackers to execute arbitrary commands on Salt minions and retrieve sensitive data from the Salt master. This affects Salt masters running vulnerable versions, potentially compromising entire infrastructure managed by Salt. Organizations using Salt for configuration management are at risk.

💻 Affected Systems

Products:

SaltStack Salt

Versions: All versions before 2019.2.4 and all 3000 versions before 3000.2

Operating Systems: All operating systems running Salt

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. The vulnerability exists in the salt-master process ClearFuncs class.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all Salt-managed infrastructure, allowing attackers to execute arbitrary code on every minion, steal credentials, and maintain persistent access.

🟠

Likely Case

Attackers gain control over Salt-managed systems, deploy malware, exfiltrate sensitive data, and potentially move laterally through the network.

🟢

If Mitigated

Limited impact due to network segmentation, proper access controls, and monitoring that detects exploitation attempts.

🌐 Internet-Facing: HIGH - Salt masters exposed to the internet are trivially exploitable by unauthenticated attackers.

🏢 Internal Only: HIGH - Even internally, any compromised system or malicious insider can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts are available. Exploitation requires network access to the salt-master port (default 4505-4506).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2019.2.4 or 3000.2

Restart Required: Yes

Instructions:

1. Backup Salt configuration and data. 2. Update Salt master to version 2019.2.4 or 3000.2 using package manager. 3. Restart salt-master service. 4. Verify all minions reconnect properly.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to salt-master ports (4505-4506) to only trusted networks and systems.

iptables -A INPUT -p tcp --dport 4505:4506 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 4505:4506 -j DROP

Disable Vulnerable Methods

all

Configure Salt master to disable the vulnerable ClearFuncs methods via configuration.

echo 'publisher_acl: {}' >> /etc/salt/master
echo 'client_acl: {}' >> /etc/salt/master

🧯 If You Can't Patch

Immediately isolate Salt masters from internet and untrusted networks using firewall rules.
Implement strict network monitoring for connections to salt-master ports and unusual command execution patterns.

🔍 How to Verify

Check if Vulnerable:

Check Salt version: salt --version or salt-master --version. If version is below 2019.2.4 or 3000.2, system is vulnerable.

Check Version:

salt --version 2>/dev/null || salt-master --version 2>/dev/null

Verify Fix Applied:

After patching, verify version shows 2019.2.4 or 3000.2 or higher. Test that minions can still connect and execute commands normally.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated connections to salt-master
Unusual command execution patterns in Salt logs
Failed authentication attempts followed by successful commands

Network Indicators:

Unusual traffic to salt-master ports from unexpected sources
Large data exfiltration from Salt master

SIEM Query:

source="salt-master.log" AND ("ClearFuncs" OR "unauthorized" OR "authentication failure")

📊 Metadata

CVE ID: CVE-2020-11651

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: April 30, 2020

Last Updated: November 7, 2025

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00070.html Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
http://www.vmware.com/security/advisories/VMSA-2020-0009.html Third Party Advisory
https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html Vendor Advisory
https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/05/msg00027.html Mailing List,Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG Third Party Advisory
https://usn.ubuntu.com/4459-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4676 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00070.html Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
http://www.vmware.com/security/advisories/VMSA-2020-0009.html Third Party Advisory
https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html Vendor Advisory
https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/05/msg00027.html Mailing List,Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG Third Party Advisory
https://usn.ubuntu.com/4459-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4676 Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11651 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Application Remote Collector by Vmware

Application Remote Collector by Vmware

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Leap by Opensuse

Salt by Saltstack

Salt by Saltstack

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Disable Vulnerable Methods

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export