CVE-2020-28243

Q: What is the severity of CVE-2020-28243?

CVE-2020-28243 has a CVSS score of 7.8 (HIGH). CVE-2020-28243 is a command injection vulnerability in SaltStack Salt's restartcheck feature that allows local privilege escalation. Any user who can create files in non-blacklisted directories on a Salt minion can execute arbitrary commands with root privileges. This affects Salt minions running vulnerable versions.

7.8 HIGH

📋 TL;DR

CVE-2020-28243 is a command injection vulnerability in SaltStack Salt's restartcheck feature that allows local privilege escalation. Any user who can create files in non-blacklisted directories on a Salt minion can execute arbitrary commands with root privileges. This affects Salt minions running vulnerable versions.

💻 Affected Systems

Products:

SaltStack Salt

Versions: All versions before 3002.5

Operating Systems: Linux, Unix-like systems running Salt minion

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Salt minions with restartcheck functionality. Requires local user access to create files in non-blacklisted directories.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full root compromise of the Salt minion system, allowing attacker to install persistent backdoors, steal credentials, pivot to other systems, and disrupt infrastructure operations.

🟠

Likely Case

Local privilege escalation to root on affected minions, enabling attackers to modify system configurations, access sensitive data, and potentially compromise the Salt master through minion trust relationships.

🟢

If Mitigated

Limited impact if proper file permissions restrict non-privileged users from creating files in vulnerable directories and SaltStack is properly segmented.

🌐 Internet-Facing: LOW (requires local access to minion, not directly exploitable over network)

🏢 Internal Only: HIGH (any user with local access to vulnerable minion can escalate to root)

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local user access to minion. Public proof-of-concept available on GitHub. Attackers need ability to create files in specific directories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3002.5 and later

Vendor Advisory: https://docs.saltproject.io/en/latest/topics/releases/3002.5.html

Restart Required: Yes

Instructions:

1. Update Salt minion to version 3002.5 or later using package manager. 2. For Debian/Ubuntu: 'sudo apt update && sudo apt install salt-minion'. 3. For RHEL/CentOS: 'sudo yum update salt-minion'. 4. Restart salt-minion service: 'sudo systemctl restart salt-minion'.

🔧 Temporary Workarounds

Restrict file creation permissions

linux

Limit non-privileged users' ability to create files in directories accessible to restartcheck

sudo chmod 750 /var/run/salt/minion
sudo chown root:salt /var/run/salt/minion

Disable restartcheck feature

linux

Temporarily disable the vulnerable restartcheck functionality

sudo salt-call config.set restartcheck False
sudo systemctl restart salt-minion

🧯 If You Can't Patch

Implement strict file permissions to prevent non-root users from creating files in Salt-related directories
Monitor for suspicious process creation and file system activity on Salt minions using auditd or similar tools

🔍 How to Verify

Check if Vulnerable:

Check Salt version: 'salt-minion --version' or 'dpkg -l | grep salt-minion' or 'rpm -qa | grep salt-minion'. If version is below 3002.5, system is vulnerable.

Check Version:

salt-minion --version

Verify Fix Applied:

Confirm version is 3002.5 or higher: 'salt-minion --version | grep -q '3002\.5\|3003' && echo 'Patched' || echo 'Vulnerable'

📡 Detection & Monitoring

Log Indicators:

Unusual process execution from salt-minion user
Suspicious commands in /var/log/salt/minion logs
Failed restartcheck operations with unusual parameters

Network Indicators:

Unusual outbound connections from minion systems
Anomalous salt master-minion communication patterns

SIEM Query:

process.name:salt-minion AND (process.cmdline:*restartcheck* OR process.cmdline:*sh* OR process.cmdline:*bash*)

📊 Metadata

CVE ID: CVE-2020-28243

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: February 27, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/stealthcopter/CVE-2020-28243 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/ Mailing List,Third Party Advisory
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/ Vendor Advisory
https://sec.stealthcopter.com/cve-2020-28243/ Exploit,Third Party Advisory
https://security.gentoo.org/glsa/202103-01 Third Party Advisory
https://security.gentoo.org/glsa/202310-22 Third Party Advisory
https://www.debian.org/security/2021/dsa-5011 Third Party Advisory
https://github.com/stealthcopter/CVE-2020-28243 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/ Mailing List,Third Party Advisory
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/ Vendor Advisory
https://sec.stealthcopter.com/cve-2020-28243/ Exploit,Third Party Advisory
https://security.gentoo.org/glsa/202103-01 Third Party Advisory
https://security.gentoo.org/glsa/202310-22 Third Party Advisory
https://www.debian.org/security/2021/dsa-5011 Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Salt by Saltstack

Salt by Saltstack

Salt by Saltstack

Salt by Saltstack

Salt by Saltstack

Salt by Saltstack

Salt by Saltstack

Salt by Saltstack

Salt by Saltstack

Salt by Saltstack

Salt by Saltstack

Salt by Saltstack

Salt by Saltstack

Salt by Saltstack

Salt by Saltstack

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict file creation permissions

Disable restartcheck feature

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities