Login Sign Up

CVE-2020-35662

7.4 HIGH

📋 TL;DR

This vulnerability in SaltStack Salt allows man-in-the-middle attacks by failing to properly validate SSL certificates during authentication to certain services. Attackers can intercept and manipulate communications between Salt master and minions. Organizations using Salt for configuration management before version 3002.5 are affected.

💻 Affected Systems

Products:
  • SaltStack Salt
Versions: All versions before 3002.5
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects specific modules that perform authentication without SSL validation. Not all Salt communications are vulnerable.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Salt infrastructure allowing attackers to execute arbitrary commands on all managed systems, steal credentials, and pivot to internal networks.

🟠

Likely Case

Credential theft and unauthorized access to Salt-managed systems, potentially leading to configuration manipulation and data exfiltration.

🟢

If Mitigated

Limited impact if network segmentation prevents man-in-the-middle positioning and certificate validation is enforced elsewhere.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires man-in-the-middle position but trivial to exploit once positioned. No public exploit code but technique is well-known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3002.5 or later

Vendor Advisory: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

Restart Required: Yes

Instructions:

1. Backup Salt configuration and data. 2. Update Salt using package manager: 'yum update salt' or 'apt-get install salt'. 3. Verify version is 3002.5+. 4. Restart Salt services: 'systemctl restart salt-master salt-minion'. 5. Test functionality.

🔧 Temporary Workarounds

Enforce SSL certificate validation

all

Configure Salt to always validate SSL certificates in vulnerable modules

salt '*' config.set ssl_verify true
salt '*' config.set verify_ssl true

Network segmentation

all

Isolate Salt communications to prevent man-in-the-middle attacks

🧯 If You Can't Patch

  • Implement strict network controls to prevent man-in-the-middle positioning between Salt components
  • Monitor Salt communications for unexpected certificate changes or authentication anomalies

🔍 How to Verify

Check if Vulnerable:

Check Salt version: 'salt --version' or 'salt-master --version'. If version is below 3002.5, system is vulnerable.

Check Version:

salt --version

Verify Fix Applied:

Verify version is 3002.5 or higher and test SSL validation with: 'salt-call config.get ssl_verify' should return True.

📡 Detection & Monitoring

Log Indicators:

  • SSL certificate validation errors in Salt logs
  • Unexpected authentication failures
  • Changes to SSL/TLS configuration

Network Indicators:

  • Unencrypted Salt communications
  • SSL/TLS handshake anomalies
  • Unexpected intermediate certificates

SIEM Query:

source="salt*" AND ("SSL" OR "certificate" OR "validation") AND ("error" OR "fail" OR "warning")

📊 Metadata

CVE ID: CVE-2020-35662
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-295
Published: February 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35662, you might also want to check these:

CVE-2025-68121 10.0

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it shoul...

Same vulnerability type (CWE-295)
CVE-2024-5261 9.8

LibreOfficeKit mode in LibreOffice versions before 24.2.4 disables TLS certificate verification when...

Same vulnerability type (CWE-295)
CVE-2020-1952 9.8

Apache IoTDB versions 0.8.0-0.8.2 and 0.9.0-0.9.1 expose JMX port 31999 without authentication when ...

Same vulnerability type (CWE-295)