CVE-2024-38824 – CVE-2024-38824 is a critical directory traversa... (How to Fix)

Q: What is the severity of CVE-2024-38824?

CVE-2024-38824 has a CVSS score of 9.6 (CRITICAL). CVE-2024-38824 is a critical directory traversal vulnerability in SaltStack's recv_file method that allows attackers to write arbitrary files to the master cache directory. This affects SaltStack installations where the master is exposed to untrusted minions or network access. Attackers could potentially achieve remote code execution or compromise the Salt master.

📋 TL;DR

CVE-2024-38824 is a critical directory traversal vulnerability in SaltStack's recv_file method that allows attackers to write arbitrary files to the master cache directory. This affects SaltStack installations where the master is exposed to untrusted minions or network access. Attackers could potentially achieve remote code execution or compromise the Salt master.

💻 Affected Systems

Products:

SaltStack
Salt Project

Versions: Salt 3006.x before 3006.12, Salt 3007.x before 3007.4

Operating Systems: Linux, Windows, macOS, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations with vulnerable versions are affected. Requires master-minion communication to be exploitable.

📦 What is this software?

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on Salt master, complete system compromise, lateral movement to all managed minions, and data exfiltration.

🟠

Likely Case

Arbitrary file write leading to configuration manipulation, privilege escalation, or denial of service through critical file overwrites.

🟢

If Mitigated

Limited impact if network segmentation restricts access to Salt master and proper authentication controls are enforced.

🌐 Internet-Facing: HIGH - Salt masters exposed to internet could be directly exploited by unauthenticated attackers.

🏢 Internal Only: HIGH - Even internally, compromised minions or malicious insiders could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to minion communication channel but is technically straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Salt 3006.12 or Salt 3007.4

Vendor Advisory: https://docs.saltproject.io/en/3006/topics/releases/3006.12.html

Restart Required: Yes

Instructions:

1. Backup Salt configuration and data. 2. Update Salt master using package manager: 'yum update salt-master' or 'apt-get update && apt-get install salt-master'. 3. Verify version with 'salt-master --version'. 4. Restart salt-master service: 'systemctl restart salt-master'. 5. Update minions to compatible versions.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to Salt master ports (default 4505-4506) to trusted minions only.

iptables -A INPUT -p tcp --dport 4505 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 4506 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 4505 -j DROP
iptables -A INPUT -p tcp --dport 4506 -j DROP

File System Restrictions

linux

Apply strict permissions to Salt master cache directory to limit file write capabilities.

chmod 700 /var/cache/salt/master
chown salt:salt /var/cache/salt/master

🧯 If You Can't Patch

Implement strict network access controls to isolate Salt master from untrusted networks.
Deploy intrusion detection systems to monitor for anomalous file writes in Salt cache directory.

🔍 How to Verify

Check if Vulnerable:

Check Salt master version: 'salt-master --version' and compare against affected versions (3006.x < 3006.12, 3007.x < 3007.4).

Check Version:

salt-master --version

Verify Fix Applied:

Confirm version is 3006.12 or higher, or 3007.4 or higher using 'salt-master --version'. Test file write functionality with controlled minion commands.

📡 Detection & Monitoring

Log Indicators:

Unusual file write patterns in /var/cache/salt/master/
Suspicious minion requests for file operations
Errors in Salt master logs related to path traversal

Network Indicators:

Anomalous traffic to Salt master ports (4505-4506) from unexpected sources
Unusual file transfer patterns in Salt protocol

SIEM Query:

source="salt-master.log" AND ("path traversal" OR "directory traversal" OR "../" OR "..\")

📊 Metadata

CVE ID: CVE-2024-38824

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-22

EPSS Score: 0.12% exploit probability (30.6th percentile)

Published: June 13, 2025

Last Updated: July 10, 2025

🔗 References

https://docs.saltproject.io/en/3006/topics/releases/3006.12.html Release Notes,Vendor Advisory
https://docs.saltproject.io/en/3007/topics/releases/3007.4.html Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38824, you might also want to check these: