CVE-2022-22936 – This vulnerability in SaltStack Salt allows att... (How to Fix)

Q: What is the severity of CVE-2022-22936?

CVE-2022-22936 has a CVSS score of 8.8 (HIGH). This vulnerability in SaltStack Salt allows attackers to replay job publishes and file server responses, potentially causing minions to execute outdated jobs or receive manipulated files. Under certain conditions, a skilled attacker could achieve root access on minion systems. Affected are Salt masters and minions running vulnerable versions.

📋 TL;DR

This vulnerability in SaltStack Salt allows attackers to replay job publishes and file server responses, potentially causing minions to execute outdated jobs or receive manipulated files. Under certain conditions, a skilled attacker could achieve root access on minion systems. Affected are Salt masters and minions running vulnerable versions.

💻 Affected Systems

Products:

SaltStack Salt

Versions: All versions before 3002.8, 3003.4, 3004.1

Operating Systems: All platforms running SaltStack

Default Config Vulnerable: ⚠️ Yes

Notes: Both Salt masters and minions are affected. The vulnerability exists in the communication protocol between them.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains root access on minion systems through replayed job publishes, leading to complete system compromise.

🟠

Likely Case

Minions execute old or unauthorized jobs, causing service disruption, data corruption, or unauthorized actions.

🟢

If Mitigated

With proper network segmentation and monitoring, impact limited to job execution anomalies detectable in logs.

🌐 Internet-Facing: HIGH - Salt masters exposed to internet are directly vulnerable to replay attacks from external actors.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but requires network access to Salt master-minion communication.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to intercept and replay Salt master-minion network traffic. The advisory mentions 'sufficient craft attacker' suggesting non-trivial exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3002.8, 3003.4, or 3004.1

Vendor Advisory: https://saltproject.io/security_announcements/salt-security-advisory-release/

Restart Required: Yes

Instructions:

1. Backup Salt configuration and data. 2. Update Salt master to patched version using package manager. 3. Update all minions to patched version. 4. Restart Salt services on all systems. 5. Verify communication between master and minions.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Salt master-minion communication to trusted networks only

Traffic Encryption

linux

Ensure Salt communication uses TLS encryption to prevent traffic interception

salt-call tls.create_self_signed_cert

🧯 If You Can't Patch

Implement strict network controls to prevent unauthorized access to Salt master-minion traffic
Monitor Salt job logs for unexpected or repeated job executions

🔍 How to Verify

Check if Vulnerable:

Check Salt version on master and minions: salt --versions-report | grep Salt

Check Version:

salt --versions-report | grep -A1 'Salt:'

Verify Fix Applied:

Confirm version is 3002.8, 3003.4, or 3004.1 or higher on all systems

📡 Detection & Monitoring

Log Indicators:

Repeated identical job IDs in Salt master logs
Unexpected job executions on minions
File server requests with unusual timing patterns

Network Indicators:

Duplicate network packets between Salt master and minions
Unusual traffic patterns in Salt communication ports (default 4505-4506)

SIEM Query:

source="salt-master.log" AND "Published job" | stats count by job_id | where count > 1

📊 Metadata

CVE ID: CVE-2022-22936

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-294

Published: March 29, 2022

Last Updated: May 5, 2025

🔗 References

https://github.com/saltstack/salt/releases%2C Broken Link
https://repo.saltproject.io/ Product
https://saltproject.io/security_announcements/salt-security-advisory-release/%2C Broken Link
https://security.gentoo.org/glsa/202310-22 Third Party Advisory
https://github.com/saltstack/salt/releases%2C Broken Link
https://repo.saltproject.io/ Product
https://saltproject.io/security_announcements/salt-security-advisory-release/%2C Broken Link
https://security.gentoo.org/glsa/202310-22 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-22936, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Salt by Saltstack

Salt by Saltstack

Salt by Saltstack

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Traffic Encryption

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities