CVE-2021-25315
📋 TL;DR
This vulnerability allows local attackers to execute arbitrary code via Salt without valid credentials due to improper authentication. It affects SUSE Linux Enterprise Server 15 SP3 and openSUSE Tumbleweed systems running vulnerable Salt versions. Attackers can gain unauthorized access and potentially compromise the entire system.
💻 Affected Systems
- SUSE Linux Enterprise Server 15 SP3
- openSUSE Tumbleweed
📦 What is this software?
Salt by Saltstack
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with root-level access, allowing attackers to install malware, exfiltrate data, pivot to other systems, and maintain persistent access.
Likely Case
Local privilege escalation leading to unauthorized administrative access, configuration changes, and potential lateral movement within the environment.
If Mitigated
Limited impact with proper network segmentation, minimal local user accounts, and strict access controls preventing unauthorized local access.
🎯 Exploit Status
Requires local access to the system. No authentication needed once local access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Salt 3002.2-3 for SUSE Linux Enterprise Server 15 SP3; Salt 3002.2-2.1+ for openSUSE Tumbleweed
Vendor Advisory: https://bugzilla.suse.com/show_bug.cgi?id=1182382
Restart Required: Yes
Instructions:
1. Update Salt package using system package manager. 2. For SUSE Linux Enterprise Server 15 SP3: 'sudo zypper update salt'. 3. For openSUSE Tumbleweed: 'sudo zypper update salt'. 4. Restart Salt services: 'sudo systemctl restart salt-master salt-minion'.
🔧 Temporary Workarounds
Restrict Local Access
linuxLimit local user accounts and implement strict access controls to prevent unauthorized local access.
sudo userdel unauthorized_user
sudo passwd -l suspicious_user
Disable Salt Services
linuxTemporarily disable Salt services if not essential for operations.
sudo systemctl stop salt-master salt-minion
sudo systemctl disable salt-master salt-minion
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from critical assets.
- Enforce principle of least privilege for all local user accounts and monitor for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check Salt version: 'salt --version' or 'rpm -q salt'. Compare against affected versions.Check Version:
salt --versionVerify Fix Applied:
Verify updated version: 'salt --version' should show 3002.2-3 or higher for SUSE Linux Enterprise Server 15 SP3, or 3002.2-2.1+ for openSUSE Tumbleweed.📡 Detection & Monitoring
Log Indicators:
- Unauthorized Salt API calls in /var/log/salt/master or /var/log/salt/minion
- Unexpected process execution from Salt components
- Authentication failures followed by successful Salt operations
Network Indicators:
- Unusual Salt master-minion communication patterns
- Salt API requests from unexpected IP addresses
SIEM Query:
source="/var/log/salt/master" AND (event="authentication_failure" OR event="unauthorized_access")