What is SaltStack Salt?
SaltStack Salt (now Salt Project) is an open-source infrastructure automation and configuration management platform used to manage thousands of servers simultaneously. Salt uses a master-minion architecture: a central salt-master issues commands and configuration to salt-minion agents running on managed servers. Salt is widely used for DevOps automation, cloud infrastructure management, and large-scale server orchestration — competitors include Ansible, Puppet, and Chef. Organizations running Salt often manage their entire infrastructure through it, meaning compromising the salt-master yields root access to every managed server.
Overview
CVE-2020-11651 is an authentication bypass vulnerability in SaltStack Salt's master process that allows an unauthenticated attacker to call methods on the ClearFuncs class — including methods that return valid authentication tokens and allow command execution on all connected minions. Combined with CVE-2020-11652 (a directory traversal that allows reading any file from the salt-master), these two vulnerabilities form one of the most impactful infrastructure automation platform vulnerabilities ever disclosed.
Exploitation began within days of disclosure, compromising thousands of exposed salt-masters and enabling root-level access to every server they managed.
Affected Versions
| Salt Version | Vulnerable | Fixed |
|---|---|---|
| 3000.x | < 3000.2 | 3000.2 |
| 2019.2.x | < 2019.2.4 | 2019.2.4 |
| 2018.3.x | < 2018.3.7 | 2018.3.7 |
Salt-masters listening on the default ZeroMQ ports (4505/4506) without network access controls are vulnerable.
Technical Details
The salt-master uses ZeroMQ for communication and exposes a ClearFuncs class for handling certain unauthenticated pre-auth operations. Due to improper method access validation, an unauthenticated attacker can call any method on ClearFuncs — including:
_prep_auth_info(): Returns the salt-master's root authentication key. With this key, an attacker can authenticate as root to the salt-master._send_pub(): Allows sending arbitrary publish events to connected minions, triggering command execution.
The attack sequence:
- Connect to salt-master port 4506 (ZeroMQ ROUTER socket)
- Call
_prep_auth_info()to obtain the root authentication token — no credentials needed - Use the root token to authenticate and issue commands via the master's regular command execution interface
- Commands execute as root on every connected salt-minion
CVE-2020-11652 (companion vulnerability) allows reading arbitrary files from the salt-master filesystem (including /etc/shadow, SSH keys, and other credential files) without authentication.
Discovery
Joona Hoikkala and other researchers at F-Secure discovered both CVE-2020-11651 and CVE-2020-11652 and coordinated disclosure with SaltStack. Patches were released April 30, 2020. Within three days, widespread exploitation had begun.
Exploitation Context
Mass exploitation started almost immediately after public disclosure. Notable incidents within the first week:
- LineageOS (Android distribution): Salt-master compromised; source code build infrastructure accessed
- Ghost CMS (hosted platform): Customer data potentially exposed
- DigiCert internal infrastructure: Reported compromise
Exploitation included XMRig cryptomining malware, Tsunami/Kaiten IRC botnet installation, and deployment of persistent backdoors across all managed minions. The ability to achieve root on every managed server from a single compromised salt-master made this uniquely destructive.
A Shodan scan at the time found approximately 6,000 salt-masters with port 4506 exposed to the internet.
Remediation
- Upgrade Salt: Apply Salt 3000.2, 2019.2.4, 2018.3.7, or later immediately.
- Firewall salt-master ports: Ports 4505 and 4506 should never be internet-accessible. Restrict to known minion IP addresses via firewall rules — the minion list is finite and known.
- Audit all minions for compromise: If the salt-master was exposed without patching between April 30 and your patch date, assume all minions are compromised. Look for new cron jobs, SSH keys, mining processes (
xmrig,kswapd0), and IRC/bot processes. - Rotate credentials: Rotate all secrets that the salt-master had access to — SSL certificates, database passwords, cloud API keys, SSH private keys.
- Enable authentication on ZeroMQ: Ensure
open_modeis not set toTruein the salt-master configuration.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2020-11651 |
| Vendor / Product | SaltStack — Salt |
| NVD Published | 2020-04-30 |
| NVD Last Modified | 2025-11-07 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2022-05-03 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2020-04-30 | SaltStack releases patch (Salt 3000.2, 2019.2.4, 2018.3.7); F-Secure publishes advisory |
| 2020-05-03 | Mass exploitation begins; cryptomining malware and botnets deployed at scale |
| 2020-05-07 | LineageOS, Ghost CMS, DigiCert infrastructure reported compromised via CVE-2020-11651 |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-05-03 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| SaltStack Salt Release Notes 3000.2 — Security Fix | Vendor Advisory |
| NVD — CVE-2020-11651 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| F-Secure Advisory — SaltStack Authorization Bypass | Security Research |