CVE-2022-22967
📋 TL;DR
This vulnerability in SaltStack Salt allows users with locked accounts to continue executing Salt commands if they were previously authenticated. It affects both local shell users with active sessions and salt-api users using PAM authentication. Systems running vulnerable Salt versions are at risk of unauthorized command execution.
💻 Affected Systems
- SaltStack Salt
📦 What is this software?
Salt by Saltstack
Salt by Saltstack
Salt by Saltstack
⚠️ Risk & Real-World Impact
Worst Case
A malicious actor with a previously authorized account could maintain persistent access and execute arbitrary Salt commands even after their account is locked, potentially leading to full system compromise.
Likely Case
Legitimate users whose accounts are locked for security reasons (e.g., suspected compromise) could continue to access and manage Salt infrastructure, bypassing intended security controls.
If Mitigated
With proper account monitoring and network segmentation, the impact is limited to unauthorized Salt command execution within the Salt infrastructure.
🎯 Exploit Status
The vulnerability is in the authentication logic, so exploitation requires initial successful authentication followed by account lockout.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3002.9, 3003.5, or 3004.2
Vendor Advisory: https://saltproject.io/security_announcements/salt-security-advisory-release-june-21st-2022/
Restart Required: Yes
Instructions:
1. Identify your Salt version. 2. Upgrade to 3002.9, 3003.5, or 3004.2 depending on your release branch. 3. Restart Salt services. 4. Verify the fix by testing account lockout functionality.
🔧 Temporary Workarounds
Disable PAM Authentication
linuxTemporarily disable PAM authentication for Salt commands and salt-api until patching is complete.
# Edit Salt master config to use alternative authentication
# Set 'external_auth' to use non-PAM methods in /etc/salt/master
Implement Network Controls
linuxRestrict access to Salt API endpoints and Salt master to trusted networks only.
# Use firewall rules to restrict access
iptables -A INPUT -p tcp --dport 4505:4506 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 4505:4506 -j DROP
🧯 If You Can't Patch
- Implement strict account monitoring and immediately revoke all Salt access for any locked accounts.
- Use network segmentation to isolate Salt infrastructure and limit blast radius of potential exploitation.
🔍 How to Verify
Check if Vulnerable:
Check Salt version with 'salt --version' or 'salt-master --version'. If version is below 3002.9, 3003.5, or 3004.2 and PAM authentication is used, the system is vulnerable.Check Version:
salt --versionVerify Fix Applied:
After patching, test by: 1. Authenticate a test user via PAM. 2. Lock the test account. 3. Attempt to run Salt commands - they should be rejected. 4. Verify version is now 3002.9, 3003.5, or 3004.2.📡 Detection & Monitoring
Log Indicators:
- Failed PAM authentication attempts followed by successful Salt command execution from same user
- Salt command execution from accounts marked as locked in system logs
Network Indicators:
- Salt API requests from IPs associated with locked accounts
- Unusual Salt command patterns from previously authorized users
SIEM Query:
source="salt-master.log" AND ("authentication failure" OR "account locked") AND "command execution"🔗 References
- https://repo.saltproject.io/
- https://saltproject.io/security_announcements/salt-security-advisory-release-june-21st-2022/%2C
- https://security.gentoo.org/glsa/202310-22
- https://repo.saltproject.io/
- https://saltproject.io/security_announcements/salt-security-advisory-release-june-21st-2022/%2C
- https://security.gentoo.org/glsa/202310-22
