CVE-2024-38825
📋 TL;DR
This vulnerability allows attackers to bypass PKI authentication in SaltStack by presenting only a public certificate without the corresponding private key. Systems using Salt's pki authentication module are affected, potentially allowing unauthorized access to Salt masters.
💻 Affected Systems
- SaltStack
- Salt Project
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Salt infrastructure allowing attackers to execute arbitrary commands on all managed minions, steal sensitive data, or disrupt operations.
Likely Case
Unauthorized access to Salt master leading to information disclosure, configuration manipulation, or limited command execution.
If Mitigated
Minimal impact if proper network segmentation, certificate validation, and monitoring are in place.
🎯 Exploit Status
Exploitation requires network access to Salt master and ability to present a valid public certificate. No private key needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Salt 3006.12 or Salt 3007.4
Vendor Advisory: https://docs.saltproject.io/en/3006/topics/releases/3006.12.html
Restart Required: Yes
Instructions:
1. Backup current Salt configuration. 2. Update Salt master to version 3006.12 or 3007.4 using package manager. 3. Restart Salt master service. 4. Verify authentication works correctly.
🔧 Temporary Workarounds
Disable PKI authentication
allTemporarily disable vulnerable pki authentication module
salt-master config: set 'auth.pki.enable: False' in master config
Use alternative authentication
allSwitch to non-vulnerable authentication methods like LDAP or shared secret
Configure alternative auth method in master config file
🧯 If You Can't Patch
- Implement strict network access controls to Salt master
- Enable detailed logging and monitoring for authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check Salt version: 'salt --version' or 'salt-master --version'. If version is 3006.x < 3006.12 or 3007.x < 3007.4 and using pki auth, system is vulnerable.Check Version:
salt --versionVerify Fix Applied:
After update, verify version is 3006.12+ or 3007.4+. Test PKI authentication requires both certificate and private key.📡 Detection & Monitoring
Log Indicators:
- Failed PKI authentication attempts without private key validation
- Successful authentication from unexpected certificates
Network Indicators:
- Unusual authentication traffic to Salt master port 4505/4506
- Certificate-only authentication attempts
SIEM Query:
source="salt-master" AND ("pki" OR "certificate") AND ("authenticated" OR "accepted")