CVE-2021-33226 – CVE-2021-33226 is a buffer overflow vulnerabili... (How to Fix)

Q: What is the severity of CVE-2021-33226?

CVE-2021-33226 has a CVSS score of 9.8 (CRITICAL). CVE-2021-33226 is a buffer overflow vulnerability in SaltStack's status module that could allow remote code execution. The vulnerability affects SaltStack versions 3003 and earlier, though exploitation is disputed by some due to limited attacker control over the vulnerable eval input. Organizations using vulnerable SaltStack installations for infrastructure management are affected.

📋 TL;DR

CVE-2021-33226 is a buffer overflow vulnerability in SaltStack's status module that could allow remote code execution. The vulnerability affects SaltStack versions 3003 and earlier, though exploitation is disputed by some due to limited attacker control over the vulnerable eval input. Organizations using vulnerable SaltStack installations for infrastructure management are affected.

💻 Affected Systems

Products:

SaltStack

Versions: 3003 and earlier versions

Operating Systems: All platforms running SaltStack

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to Salt master; vulnerability is in the status.py module's func variable handling.

📦 What is this software?

Salt by Saltstack

View all CVEs affecting Salt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Salt master server leading to arbitrary code execution, lateral movement across managed infrastructure, and potential data exfiltration.

🟠

Likely Case

Limited impact due to disputed exploitability and requirement for authenticated access; potential for denial of service or limited privilege escalation.

🟢

If Mitigated

Minimal impact with proper network segmentation, authentication controls, and monitoring in place.

🌐 Internet-Facing: MEDIUM - While CVSS score is high, disputed exploitability and requirement for authentication reduce immediate risk for internet-facing systems.

🏢 Internal Only: MEDIUM - Internal systems remain at risk if attackers gain initial access through other means or if insider threats exist.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation is disputed by third parties who argue attackers cannot influence the eval input; requires authenticated access to Salt master.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3003.1 and later versions

Vendor Advisory: https://docs.saltproject.io/en/latest/topics/releases/3003.1.html

Restart Required: Yes

Instructions:

1. Update SaltStack to version 3003.1 or later. 2. Restart Salt master service. 3. Verify all minions reconnect successfully.

🔧 Temporary Workarounds

Restrict Salt master access

linux

Limit network access to Salt master to trusted IP addresses only

iptables -A INPUT -p tcp --dport 4505:4506 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 4505:4506 -j DROP

Disable vulnerable module

all

Temporarily disable or restrict access to the status module

salt '*' sys.list_functions status | grep -v 'status.'
Configure Salt master to restrict module access via ACLs

🧯 If You Can't Patch

Implement strict network segmentation to isolate Salt master from untrusted networks
Enforce strong authentication and authorization controls for all SaltStack users

🔍 How to Verify

Check if Vulnerable:

Check Salt version: salt --version | grep -E '^300[0-3]($|\.[0-9])'

Check Version:

salt --version

Verify Fix Applied:

Verify version is 3003.1 or later: salt --version | grep -E '^3003\.[1-9]|^300[4-9]|^[4-9]'

📡 Detection & Monitoring

Log Indicators:

Unusual status module usage patterns
Multiple failed authentication attempts to Salt master
Unexpected process execution from Salt master

Network Indicators:

Unusual traffic patterns on Salt ports (4505-4506)
Connection attempts from unauthorized IP addresses

SIEM Query:

source="salt-master.log" AND ("status.py" OR "func variable" OR "buffer overflow")

📊 Metadata

CVE ID: CVE-2021-33226

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: February 17, 2023

Last Updated: March 18, 2025

🔗 References

https://bugzilla.suse.com/show_bug.cgi?id=1208473
https://github.com/saltstack/salt/blob/master/salt/modules/status.py Exploit,Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1208473
https://github.com/saltstack/salt/blob/master/salt/modules/status.py Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33226, you might also want to check these: