CVE-2021-25281

9.8 CRITICAL

Remote Code Execution Authentication Bypass

📋 TL;DR

This vulnerability in SaltStack Salt allows unauthenticated remote attackers to execute arbitrary wheel modules on the Salt master via salt-api. The wheel_async client does not properly validate eauth credentials, enabling complete system compromise. All SaltStack deployments with salt-api enabled and running versions before 3002.5 are affected.

💻 Affected Systems

Products:

SaltStack Salt

Versions: All versions before 3002.5

Operating Systems: All operating systems running SaltStack

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with salt-api enabled. The vulnerability is in the wheel_async client authentication mechanism.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Salt master, allowing attackers to execute arbitrary commands as root, steal sensitive data, deploy malware, and pivot to other systems in the infrastructure.

🟠

Likely Case

Remote code execution leading to data theft, system manipulation, and potential lateral movement within the environment.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to salt-api endpoints.

🌐 Internet-Facing: HIGH - salt-api exposed to the internet allows unauthenticated remote exploitation without any user interaction.

🏢 Internal Only: HIGH - Even internally, any user with network access to salt-api can exploit this vulnerability without credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available and trivial to use. The vulnerability requires no authentication and minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3002.5 and later

Vendor Advisory: https://github.com/saltstack/salt/releases

Restart Required: Yes

Instructions:

1. Upgrade Salt master to version 3002.5 or later. 2. Restart salt-master and salt-api services. 3. Verify the fix by checking version and testing authentication.

🔧 Temporary Workarounds

Disable salt-api

linux

Temporarily disable salt-api service if immediate patching is not possible

systemctl stop salt-api
systemctl disable salt-api

Network access control

linux

Restrict network access to salt-api port (default 8000) using firewall rules

iptables -A INPUT -p tcp --dport 8000 -j DROP
firewall-cmd --permanent --remove-port=8000/tcp
firewall-cmd --reload

🧯 If You Can't Patch

Immediately disable salt-api service on all masters
Implement strict network segmentation and firewall rules to block all external access to salt-api endpoints

🔍 How to Verify

Check if Vulnerable:

Check Salt version: if version is below 3002.5 and salt-api is enabled, the system is vulnerable.

Check Version:

salt --versions-report | grep -i salt

Verify Fix Applied:

Verify Salt version is 3002.5 or higher and test that wheel_async endpoints now require proper authentication.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated requests to /run endpoint in salt-api logs
Wheel module executions from unexpected sources
Failed authentication attempts followed by successful wheel operations

Network Indicators:

Unusual traffic to salt-api port 8000 from unexpected sources
HTTP POST requests to /run without proper authentication headers

SIEM Query:

source="salt-api" AND (uri_path="/run" OR uri_path="/events") AND (http_status=200 OR http_status=202) AND NOT (auth_token=*)

📊 Metadata

CVE ID: CVE-2021-25281

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: February 27, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/162058/SaltStack-Salt-API-Unauthenticated-Remote-Command-Execution.html Exploit,Third Party Advisory,VDB Entry
https://github.com/saltstack/salt/releases Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/ Mailing List,Third Party Advisory
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/ Vendor Advisory
https://security.gentoo.org/glsa/202103-01 Third Party Advisory
https://security.gentoo.org/glsa/202310-22 Third Party Advisory
https://www.debian.org/security/2021/dsa-5011 Third Party Advisory
https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/ Vendor Advisory
http://packetstormsecurity.com/files/162058/SaltStack-Salt-API-Unauthenticated-Remote-Command-Execution.html Exploit,Third Party Advisory,VDB Entry
https://github.com/saltstack/salt/releases Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/ Mailing List,Third Party Advisory
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/ Vendor Advisory
https://security.gentoo.org/glsa/202103-01 Third Party Advisory
https://security.gentoo.org/glsa/202310-22 Third Party Advisory
https://www.debian.org/security/2021/dsa-5011 Third Party Advisory
https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/ Vendor Advisory