Login Sign Up

CVE-2022-22934

8.8 HIGH

📋 TL;DR

This vulnerability in SaltStack Salt allows attackers to substitute arbitrary pillar data by exploiting the Salt Master's failure to sign pillar data with minion public keys. This affects Salt Masters running versions before 3002.8, 3003.4, or 3004.1, potentially compromising configuration data integrity across managed systems.

💻 Affected Systems

Products:
  • SaltStack Salt
Versions: All versions before 3002.8, 3003.4, and 3004.1
Operating Systems: All platforms running SaltStack
Default Config Vulnerable: ⚠️ Yes
Notes: All Salt Masters with default configurations are vulnerable. The vulnerability exists in the pillar data signing mechanism.

📦 What is this software?

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could inject malicious configuration data into minions, leading to complete system compromise, credential theft, or lateral movement across the infrastructure.

🟠

Likely Case

Attackers with network access to Salt Masters could manipulate pillar data to deploy unauthorized configurations, execute arbitrary commands, or steal sensitive data from minions.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to isolated segments, though data integrity could still be compromised within those segments.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires network access to Salt Master and understanding of Salt's pillar system. No public proof-of-concept has been released, but the vulnerability is well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3002.8, 3003.4, or 3004.1

Vendor Advisory: https://saltproject.io/security_announcements/salt-security-advisory-release/

Restart Required: Yes

Instructions:

1. Identify your Salt version with 'salt --version'. 2. Upgrade to 3002.8, 3003.4, or 3004.1 using your package manager. 3. Restart Salt Master service: 'systemctl restart salt-master'. 4. Verify all minions reconnect properly.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to Salt Masters to only trusted administrative networks

iptables -A INPUT -p tcp --dport 4505:4506 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 4505:4506 -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit Salt Master exposure
  • Monitor pillar data changes and Salt Master logs for unauthorized modifications

🔍 How to Verify

Check if Vulnerable:

Run 'salt --version' and check if version is below 3002.8, 3003.4, or 3004.1

Check Version:

salt --version

Verify Fix Applied:

After upgrade, verify version is 3002.8, 3003.4, or 3004.1+ and test pillar data signing functionality

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized pillar data modifications
  • Unexpected minion reconnections
  • Salt Master authentication failures

Network Indicators:

  • Unusual traffic to Salt Master ports (4505-4506) from unexpected sources
  • Pillar data transmission without proper encryption

SIEM Query:

source="salt-master" AND (event="pillar.*modif" OR event="auth.*fail" OR event="unauthorized.*access")

📊 Metadata

CVE ID: CVE-2022-22934
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: March 29, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON