CVE-2024-22232
📋 TL;DR
This vulnerability allows attackers to read arbitrary files from a Salt master's filesystem by exploiting a directory traversal flaw in the Salt file server. Attackers can access sensitive configuration files, credentials, or other data stored on the master. All SaltStack deployments with vulnerable versions are affected.
💻 Affected Systems
- SaltStack Salt
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Salt master with extraction of all secrets, credentials, and sensitive configuration files leading to lateral movement across entire infrastructure.
Likely Case
Extraction of sensitive files containing credentials, certificates, or configuration data that could lead to further system compromise.
If Mitigated
Limited file access restricted by file permissions and network segmentation, with no critical data exposure.
🎯 Exploit Status
The vulnerability is straightforward to exploit with specially crafted URLs. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Salt 3006.9, 3007.3, or later
Vendor Advisory: https://saltproject.io/security-announcements/2024-01-31-advisory/
Restart Required: Yes
Instructions:
1. Backup your Salt master configuration. 2. Update Salt using your package manager: 'sudo apt update && sudo apt upgrade salt-master' (Debian/Ubuntu) or 'sudo yum update salt-master' (RHEL/CentOS). 3. Restart the Salt master service: 'sudo systemctl restart salt-master'. 4. Verify the update with 'salt --version'.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict network access to Salt master to only trusted minions and administrators.
iptables -A INPUT -p tcp --dport 4505:4506 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 4505:4506 -j DROP
File Server Access Control
allImplement strict file_roots and pillar_roots permissions to limit accessible directories.
# In /etc/salt/master configuration file:
file_roots:
base:
- /srv/salt/restricted_path
pillar_roots:
base:
- /srv/pillar/restricted_path
🧯 If You Can't Patch
- Implement strict network access controls to limit connections to Salt master only from trusted sources.
- Apply principle of least privilege to file system permissions on Salt master to limit potential data exposure.
🔍 How to Verify
Check if Vulnerable:
Check Salt version with 'salt --version' or 'salt-master --version'. If version is between 3006.0-3006.8 or 3007.0-3007.2, system is vulnerable.Check Version:
salt --versionVerify Fix Applied:
After patching, verify version is 3006.9+, 3007.3+, or later with 'salt --version'. Test file server functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in Salt master logs
- Requests with '../' sequences in file server logs
- Failed authentication attempts followed by file server requests
Network Indicators:
- Unusual traffic patterns to Salt master ports (4505-4506)
- Requests with directory traversal sequences in payloads
SIEM Query:
source="salt-master.log" AND ("..\/" OR "%2e%2e%2f" OR "directory traversal")