Login Sign Up

CVE-2021-3144

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in SaltStack Salt allows expired eauth tokens to be reused once after expiration, potentially enabling attackers to execute unauthorized commands against the salt master or minions. It affects all SaltStack Salt deployments before version 3002.5. Organizations using vulnerable versions for infrastructure automation are at risk.

💻 Affected Systems

Products:
  • SaltStack Salt
Versions: All versions before 3002.5
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments using eauth tokens are affected regardless of configuration.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain full administrative control over Salt infrastructure, execute arbitrary commands on all managed systems, steal sensitive data, or deploy ransomware across the entire environment.

🟠

Likely Case

Privileged attackers with access to expired tokens could execute unauthorized commands on salt masters or minions, potentially compromising specific systems or services.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to isolated segments, though token reuse could still enable some unauthorized actions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to expired eauth tokens, which authenticated users could potentially obtain through normal operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3002.5 or later

Vendor Advisory: https://github.com/saltstack/salt/releases

Restart Required: Yes

Instructions:

1. Backup configuration and data. 2. Update Salt to version 3002.5 or later using your package manager. 3. Restart salt-master and salt-minion services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Token Expiration Reduction

all

Reduce eauth token expiration time to minimize window for token reuse

Set 'token_expire' to a lower value in /etc/salt/master configuration

Network Segmentation

all

Restrict access to salt master API endpoints

Configure firewall rules to limit access to salt master ports (default 4505-4506)

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate salt infrastructure
  • Monitor and audit all salt API access and token usage patterns

🔍 How to Verify

Check if Vulnerable:

Check Salt version with 'salt --version' or 'salt-master --version' and verify it's below 3002.5

Check Version:

salt --version

Verify Fix Applied:

Confirm version is 3002.5 or higher and test that expired tokens cannot be reused

📡 Detection & Monitoring

Log Indicators:

  • Multiple authentication attempts with same token ID
  • Commands executed with recently expired tokens
  • Unusual salt API access patterns

Network Indicators:

  • Repeated connections to salt master API with same authentication tokens
  • Unusual command execution patterns

SIEM Query:

source="salt-master" AND ("eauth token" OR "authentication") AND ("expired" OR "reuse")

📊 Metadata

CVE ID: CVE-2021-3144
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-613
Published: February 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3144, you might also want to check these:

CVE-2024-8888 10.0

An attacker on the same network as a vulnerable CIRCUTOR Q-SMT device can steal authentication token...

Same vulnerability type (CWE-613)
CVE-2023-5865 9.8

This vulnerability in phpMyFAQ allows attackers to maintain access to user sessions beyond intended ...

Same vulnerability type (CWE-613)
CVE-2024-25718 9.8

This vulnerability in the Samly package for Elixir allows expired authentication sessions to remain ...

Same vulnerability type (CWE-613)